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Foreword 



Over the course of the last four decades, the Internet has developed from 
an obscure government science experiment to one of the cornerstones 
of modern life. It has transformed commerce, created social and cul- 
tural networks with global reach, and become a surprisingly powerful 
vehicle for political organization and protest alike. And it has achieved 
all of this despite — or perhaps because of — its decentralized character. 
Throughout its public history, the Internet has been built and overseen 
by an international group of technical experts and government and 
user representatives committed to maintaining an open and unfettered 
global network. 

This vision, however, and the Internet to which it gave rise, is under 
threat from a number of directions. States are erecting barriers to the 
free flow of information to and through their countries. Even Western 
governments do not always agree on common content standards — the 
United States, for example, is more accepting of neo-Nazi content or 
Holocaust denial than are France or Germany. Other countries' efforts 
to control the Internet have gone far beyond limiting hate speech or 
pornography. Iran, China, Saudi Arabia, Russia, and others have con- 
sidered building national computer networks that would tightly control 
or even sever connections to the global Internet. 

State and nonstate actors, moreover, now regularly attack the web- 
sites and internal systems of businesses. Most of these attacks are for 
theft — cost estimates of intellectual property losses range as high as 
$500 billion per year. Other activities are related to sabotage or espi- 
onage. Hacking and defacing websites or social media feeds is a fre- 
quently used tool of political competition, while destructive programs 
such as Stuxnet are becoming increasingly sophisticated. Such activi- 
ties can be expected to become more commonplace as critical systems 
become more interconnected and financial and technical barriers to 
entry for cyber activities fall further. 
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Foreword 



A balkanized Internet beset by hostile cyber-related activities raises 
a host of questions and problems for the U.S. government, American 
corporations, and American citizens. The Council on Foreign Rela- 
tions launched this Task Force to define the scope of this rapidly devel- 
oping issue and to help shape the norms, rules, and laws that should 
govern the Internet. 

The Task Force recommends that the United States develop a digital 
policy framework based on four pillars. First, it calls on the U.S. gov- 
ernment to share leadership with like-minded actors, including gov- 
ernments, private companies, and NGOs, to develop a global security 
framework based on a common set of principles and practices. Next, 
the Task Force recommends that all future trade agreements between 
the United States and its trading partners contain a goal of fostering 
the free flow of information and data across national borders while 
protecting intellectual property and individual privacy. Third, the Task 
Force urges the U.S. government to define and actively promote a vision 
of Internet governance that involves emerging Internet powers and 
expands and strengthens governance processes that include represen- 
tatives of governments, private industry, and civil society. Finally, the 
report recommends that U.S. -based industry work rapidly to establish 
an industry-led approach to counter current and future cyberattacks. 
The United States needs to act proactively on these fronts, lest it risk 
ceding the initiative to countries whose interests differ significantly 
from its own. 

The Task Force further argues for greater public debate in the United 
States about cyber capabilities as instruments of national security. 
Some forty countries, including the United States, either have or are 
seeking cyber weapons. Greater public scrutiny and discussion will, 
among other things, help define the conditions under which cyber 
weapons might be used — conditions which should likely be highly lim- 
ited in scope and subject to substantial oversight. 

I would like to thank the Task Force's distinguished chairs, John 
Negroponte and Samuel Palmisano, for their leadership and com- 
mitment to this endeavor. This Task Force report is the product of an 
impressive group of individuals with significant experience and exper- 
tise in both the public and private sectors. I am grateful to all of the Task 
Force members and observers for contributing their time and informed 
perspectives to reach a consensus — one that reflects a broad range of 
political viewpoints and professional backgrounds. 
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I also invite readers to review the additional views written by several 
Task Force members that appear at the report's conclusion. The report 
of an Independent Task Force is a document that represents the consen- 
sus among the group, and each signatory endorses the broad thrust of 
the policy recommendations. However, these additional views provide 
insight into the breadth of the debate and demonstrate the complexity 
of the issues at hand. 

My thanks also extend to Anya Schmemann, CFR's Task Force 
program director, whose guidance and direction made this project 
possible. I would finally like to thank Project Director and Maurice R. 
Greenberg Senior Fellow for China Studies Adam Segal, who expertly 
wove together the many perspectives represented by this Task Force 
in a report that is intended to educate people in the United States and 
beyond about the challenges we face in this digital age and how best to 
address them. 

Richard N. Haass 

President 

Council on Foreign Relations 
June 2013 
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Introduction: The Open and Global 
Internet Is Under Threat 



Since the idea of a worldwide network was introduced in the early 
1980s, the Internet has grown into a massive global system that con- 
nects over a third of the world's population, roughly 2.5 billion people. 
The Internet facilitates communication, commerce, trade, culture, 
research, and social and family connections and is now an integral part 
of modern life. Another 2.5 billion individuals are expected to get online 
by the end of this decade, mainly in the developing world, and further 
billions of devices and machines will be used. This enlargement to the 
rest of the globe could bring enormous economic, social, and political 
benefits to the United States and the world. New technologies could 
reshape approaches to disaster relief, diplomacy, conflict prevention, 
education, science, and cultural production. 

However, as more people are connected in cyberspace and more criti- 
cal services such as telecommunications, power, and transportation are 
interconnected, societies are becoming more dependent and more vul- 
nerable to disruption. Escalating attacks on countries, companies, and 
individuals, as well as pervasive criminal activity threaten the security 
and safety of the Internet. The number of high-profile, ostensibly state- 
backed operations continues to rise, and future attacks will become 
more sophisticated and disruptive. A global digital arms trade has now 
emerged that sells sophisticated malicious software to the highest bid- 
ders, including hacker tools and "zero-day exploits" — attacks that take 
advantage of previously unknown vulnerabilities. 

U.S. government officials have increasingly warned of the danger of 
a massive, destructive attack, and the government and private sector are 
scrambling to prevent and prepare for future cyberattacks. U.S. govern- 
ment warnings and efforts are important, but the United States should do 
more to prevent a potential catastrophic cyberattack. It also, inpartnership 
with its friends and allies, must work to define the norms of cyber conflict. 
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Defending an Open, Global, Secure, and Resilient Internet 



From its beginning, the Internet has been open and decentralized; 
its development and growth have been managed by a self-organizing, 
self-policing, and self-balancing collection of private and public actors. 
Today, as many countries seek increased security and control over the 
type of information and knowledge that flows across the Internet, that 
original vision is under attack. Some nation-states are seeking to frag- 
ment and divide the Internet and assert sovereignty over it; they are 
increasing their efforts to tightly regulate social, political, and economic 
activity and content in cyberspace and, in many cases, to suppress 
expression they view as threatening. At the December 2012 World Con- 
ference on International Telecommunications (WCIT), some countries 
moved to rewrite a 1988 treaty so that it sanctions government control 
of Internet technology and content. A truly global platform is being 
undermined by a collection of narrow national Internets. 

For the past four decades, the United States was the predominant 
innovator, promoter, and shaper of cyberspace, but the window for 
U.S. leadership is now closing. In Asia, Latin America, and Africa, the 
number of networked users is rapidly increasing. Cyberspace is now 
becoming reflective of the world's Internet users. The United States, with 
its friends and allies, needs to act quickly to encourage a global cyberspace 
that reflects shared values of free expression and free markets. 

Successfully meeting the challenges of the digital age requires a rethinking 
of domestic institutions and processes that were designed for the twentieth 
century. The rapid rate of technological change cannot help but outpace 
traditional legislative approaches and decision-making processes. The 
threats of the past were relatively slow developing and geographically 
rooted, so there was an appropriate distribution of authorities among 
defense, intelligence, law enforcement, and foreign policy agencies. 
Cyberattacks, however, can be launched from anywhere in the world, 
including from networks inside the United States, and their effects can 
be felt in minutes. Moreover, they do not always look like attacks. Many 
threats and actual compromises appear as little inconsistencies. Stolen 
data is not taken away, so the losses may never be noticed, but suddenly 
companies have new competitors or foreign actors have an uncanny 
insight into their enemies' activities. 

In the United States, a lack of a coherent vision, the absence of 
appropriate authority to implement policy, and legislative gridlock are 
significant obstacles to global leadership. The United States should act 
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affirmatively to articulate norms of behavior, regulation, and partnership, 
or others will do so. In addition, the effects of domestic decisions spread 
far beyond national borders and will affect not only users, companies, 
nongovernmental organizations (NGOs), and policymakers in other 
countries but also the health, stability, resilience, and integrity of the 
global Internet. The bottom line is clear: digital foreign policy must begin 
with domestic policy. 

The opportunities for the United States in cyberspace are great, but 
a path needs to be found between a cyberspace that has no rules and 
one that permits governments to abuse their sovereignty. At the same 
time, policymakers have to realize that even the most successful digital 
policy will have limits to what it can accomplish. The United States' 
commitment to free speech, for example, is rooted in its history and 
culture, just as French and German attitudes are toward appropriate 
limits on online hate speech or the sale of Nazi paraphernalia. These 
differences are unlikely to completely disappear no matter how well 
policy is crafted. 

To support security, innovation, growth, and thefreefow of information, 
the TaskForce recommends a U.S. digitalpolicy based onfour pillars: 

■ Alliances: The United States should help create a cyber alliance of 
like-minded actors — including governments, companies, NGOs, 
and the noncommercial sector — based on a common set of practices 
and principles. 

■ Trade: All future U.S. trade agreements should contain a goal of fos- 
tering the free flow of information and data across national borders 
while protecting intellectual property and developing an interoper- 
able global regulatory framework for respecting the privacy rights of 
individuals. 

■ Governance: The United States should articulate and advocate a 
vision of Internet governance that includes emerging Internet powers 
and expands and strengthens the multi-stakeholder process. 

■ Security: U.S. -based industry should work more rapidly to develop 
a coherent industry-led approach to protect critical infrastructure 
from cyberattacks. 



6 



Defending an Open, Global, Secure, and Resilient Internet 



DEFENDING THE OPEN, GLOBAL INTERNET 

Many of the benefits of cyberspace are self-reinforcing. Knowledge, 
information, and data cannot be shared across borders without some 
degree of security; an open and global Internet is likely to be more resil- 
ient than one that is fractured into multiple national intranets. Encour- 
aging a healthy Internet ecosystem will preserve the Internet for future 
users. As a result, U.S. decision-makers do not have the luxury of pursu- 
ing Internet trade, freedom, and security policies in isolation. 

In other instances, however, the demands for security, intellectual 
property protection, open access and innovation, privacy, and the 
free flow of information involve difficult trade-offs. Technologies that 
allow countries and companies to control and identify applications and 
content that pass through networks, for example, can increase secu- 
rity (and generate profit), but they can also cut against users' ability to 
develop new services and software. Technologies that ensure anonym- 
ity can be used by activists to oppose authoritarian regimes, but may 
also be abused by extremist groups. For example, in responding to the 
"Innocence of Muslims," the anti-Islam video made by a C alifornia resi- 
dent and uploaded on YouTube, the State Department had to balance 
defending the U.S. tradition of free speech and condemning intoler- 
ance and hate speech, while acknowledging the legitimate fear of social 
media's power to quickly disseminate incendiary materials. 

The year 2012 saw the battle over the Stop Online Piracy Act (SOPA) 
and Preventing Real Online Threats to Economic Creativity and Theft 
of Intellectual Property Act (PIPA). These two bills sought to make it 
harder for website operators — especially those outside the United 
States — to sell or distribute pirated copyrighted material or counter- 
feit goods. Though all sides in the debate agreed on the need to protect 
intellectual property from rogue foreign websites, technology com- 
panies, free speech activists, popular websites such as Wikipedia, and 
other critics argued that the provisions within the bills could result in 
the censorship of large quantities of noninfringing material, including 
political content, thereby severely limiting free expression and impair- 
ing future innovation. 

These trade-offs and tensions are evident in foreign policy as well. 
One reason some users around the world support unconstrained 
access to the Internet is that it allows them to freely download (often 
pirated) entertainment. At the same time, autocrats are increasingly 
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sophisticated about turning a blind eye to the piracy of movies and music 
but blocking political information. Any government effort to pursue a 
global anticensorship agenda and protect the intellectual property of 
U.S. -based companies must weigh these potential trade-offs. 

The Task Force recognizes that there are both considerable oppor- 
tunities and perilous challenges in cyberspace. This report identifies 
guiding principles and makes policy recommendations to mobilize a 
coalition of old friends and rising cyber powers, private firms, NGOs, 
and individual users to defend, reinforce, and expand an Internet that is 
open, global, secure, and resilient. 

Now is the time for the United States, with its friends and allies, to ensure 
the Internet remains an open, global, secure, and resilient environment for 
users. Otherwise, many potential gains will be lost to political, eco- 
nomic, and strategic fighting over the shape of cyberspace. 



Opportunities and Challenges 
of the Internet 



The United States has benefited immensely from a digital infrastruc- 
ture that is relatively open, global, secure, and resilient. The Internet is, 
in President Barack Obama's description, "the backbone that under- 
pins a prosperous economy and a strong military and an open and effi- 
cient government." 1 The United States, however, will need to navigate 
through significant challenges in cyberspace, and the American vision 
of a free and open Internet is not shared by all. The economic, social, 
and political benefits of the Internet have been truly remarkable, but 
the next two decades could be even more transformational as cyber- 
space expands to more people and into more areas of activity. The 
cyber sphere presents great opportunities, but also significant chal- 
lenges and dangers. 



OPPORTUNITIES 

Global Internet traffic is expected to triple over the next five years, 
with rapid growth in Africa, Latin America, and the Middle East. 
The world's Internet population nearly doubled between 2007 and 
2013, and is now estimated at 2.27 billion people. The Cisco Visual 
Networking Index forecasts that by 2016 there will be 18.9 billion net- 
work connections, or almost 2.5 connections for each person on earth, 
compared with 10.6 billion in 2011. New products and services will be 
born as more devices are interconnected. Chips and sensors, smaller 
and more powerful, can be embedded in more products, creating vast 
amounts of data and linking physical and digital systems. The "Inter- 
net of things" — cars, ovens, office copiers, electrical grids, medical 
implants, and other Internet-connected machines that collect data and 
communicate — could result in thirty-one billion devices connected to 
the Internet in 2020. 
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Mobile services have penetrated almost all parts of the globe. Sev- 
enty-five percent of the world's population now has access to mobile 
phones, with five billion users located in developing countries. In 
countries within the Organization for Economic Cooperation and 
Development (OECD), wireless connections are the main source 
of recent Internet expansion, overtaking fixed broadband subscrip- 
tions in 2009. Furthermore, the developing world is more "mobile" 
than the developed; Africa is the fastest-growing mobile market in 
the world, with mobile accounting for approximately 90 percent of all 
telephone connections in northern Africa. Many innovations such as 
multi-SIM-card phones, low-value recharges, and mobile payments 
originated in less developed economies and diffused from there. This 
explosion of access to mobile phones, and mobile apps in particular, 
could lead to the creation of new markets and services, especially in 
agriculture, health, finance, and government. 2 

The United States continues to lead in information communication 
technology (ICT) funding at the national level, spending $1.2 trillion 
in 2010, compared with $487 billion in China, $385 billion in Japan, 
$200 billion in the United Kingdom (UK), and $66 billion in Russia. 3 
Ranked by 2011 revenues, U.S . firms made up all of the top ten spenders 
in research and development (R&D) in information and communica- 
tion technologies. Even with rising Asian ICT R&D levels, the United 
States still accounts for more than half of global ICT R&D and nearly 
all of the global growth in 2011 to 2012. 4 

The Internet economy accounted for 4.7 percent of U.S. gross 
domestic product (GDP) in 2010 ($68.2 billion), and is projected to rise 
to 5.4 percent of GDP in 2016. The United States captures more than 
30 percent of global Internet revenues and more than 40 percent of net 
income. 5 Trade in content, media, and other intellectual property con- 
tributes $5 trillion and forty million jobs to the U.S. economy, accord- 
ing to the U.S. Department of Commerce. 

The economic impact of the Internet is global. No widely accepted 
methodologies or metrics for assessing the full effect of the Internet on 
national economies exist yet, but it is estimated that for every 10 percent 
increase in broadband penetration, global GDP increases by an aver- 
age of 1.3 percent. In a 2011 McKinsey study of thirteen countries (the 
G8 plus Brazil, South Korea, India, China, and Sweden), the Internet 
economy accounted for 3.4 percent of GDP and 7 percent of growth in 
these countries over the past fifteen years. 6 Measurement is even more 
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difficult for developing economies, but early research suggests that 
increases in Internet penetration are associated with higher exports 
overall; increasing emerging-market mobile broadband penetration to 
more than 50 percent would yield returns of $420 billion and up to four- 
teen million jobs to the global economy. 7 

Limiting or shutting down the Internet has negative consequences. 
The OECD estimates that Egypt's decision to shut off the Internet 
for five days in January 2011 resulted in direct losses of $90 million, 
with indirect social and economic effects being much larger, perhaps 
reaching an additional $100 million. 8 In a March 2013 survey of 325 
businesses with operations in China conducted by the American 
Chamber of Commerce in Beijing, 55 percent of the respondents 
said they saw China's Internet restrictions as negatively or somewhat 
negatively affecting their capacity to do business there. 9 Sixty-two 
percent said the disruption of foreign search engines make obtaining 
real-time market data, sharing time-sensitive information, or collabo- 
rating with colleagues based outside China more difficult; 72 percent 
responded that slow Internet speeds obstruct their ability to conduct 
business in China. 

The Internet has also provided profound benefits to users that 
cannot be measured financially. Compared with radio, television, or 
other media, the Internet and mobile applications allow individuals 
to find and publish new information cheaply, quickly, and globally, 
thereby sharing knowledge and creating content. In many countries, 
Internet users are eroding the government monopoly control of mass 
media; these users can now report history for themselves and establish 
their own identities, real or fake. 

Increasing access and connectivity will drive new abilities to provide 
education and deliver market information to isolated rural communi- 
ties, monitor and respond to outbreaks of disease or natural disasters, 
and support increased citizen participation in political and social move- 
ments. M-Farm, for example, is a service that provides real-time price 
information to Kenyan farmers on mobile phones, allowing them to cut 
out middlemen and sell their produce at higher prices. After the 2010 
earthquake, the Haitian government aggregated thousands of text mes- 
sages about trapped victims that had been sent to an emergency text 
number. Volunteers translated them into English and plotted them 
on a crisis map for the U.S. Coast Guard. Twenty mobile applications 
developed by the state of Kerala in India have facilitated three million 
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interactions between the government and its citizens since December 
2010. Sixty-six percent of social media users in the United States — 39 
percent of all U.S . adults — have used social media to participate in poli- 
tics by posting or responding to political views, following candidates, 
"liking" political content, or belonging to online groups. 10 

Within and across societies, the voices of individuals and commu- 
nities have been strengthened, and government accountability and 
transparency have increased. The explosion of social media and com- 
munication technologies has added new tools to traditional diplomacy 
and also energized a new "government to society" diplomacy, allowing 
U.S. officials to communicate with more people in more places and to 
reach beyond governments. 

Despite fears that the Internet and globalization more generally 
would lead to greater cultural homogeneity, cyberspace has been a plat- 
form for linguistic, artistic, cultural, religious, and ethnic expression. 
Examples include the growth in minority languages through the use 
of the Internet to connect diaspora communities. The use of Catalan 
online has grown substantially over the past ten years, connecting eight 
million speakers, and Catalan content has increased since the introduc- 
tion of the top-level domain (TLD) name — .cat — in 2006. A TLD is at 
the highest level of the hierarchical Domain Name System (DNS), the 
designation .com, .org, .gov, and others that appears farthest to the right 
in an Internet address. Global Goods Partners, a nonprofit organiza- 
tion, is one of many websites that give artisans in developing countries a 
venue to sell traditional artwork and handicrafts to customers in devel- 
oped countries. 

The Internet has also allowed religious leaders and members to con- 
nect more easily. The Islamic Broadcasting Network, based in Wash- 
ington, DC, broadcasts original programming on the Web to Muslim 
communities throughout the United States. Lakewood Church, based 
in Houston, Texas, is one of many churches that uses the Internet to 
reach out to parishioners and the general public: tens of thousands 
watch live-stream services, listen to podcasts, and read blog posts. 
Chabad.org, the website of the orthodox Jewish sect Lubavitch, claims 
7.6 million visitors per month and 365,000 email subscribers. 

The social and cultural innovation and economic growth powered by 
the Web are natural extensions of its structure. The Internet is the prod- 
uct of U.S. government-funded R&D, but it is now a global platform 
and the technical protocols underlying the networks were designed 
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to allow decentralized and distributed growth. Without needing any- 
one's permission, an entrepreneur or activist can design hardware or 
software that runs on the network and individuals can create their own 
blogs or online businesses. 

Many of the early Internet pioneers saw no need for the involve- 
ment of governments in cyberspace. They feared governments would 
restrict the rights to free expression and privacy, and so they developed 
a framework for the Internet based on self-regulation, private-sector 
leadership, and a bottom-up policy process. 11 Coordination of the core 
resources of the Internet — such as domain names, technical protocols, 
and root servers — emerged not from government dictate but as techni- 
cal experts, businesses, civil society, and individual users formed orga- 
nizations and associations to answer specific problems. 

These organizations include representatives of the world's Inter- 
net users from governments, private industry, and civil society. For 
example, the Internet Engineering Task Force — an international 
group of leading technical experts concerned with the evolution of 
the Internet's architecture and smooth operation — endorses techni- 
cal standards through an iterative "request for comment" process. The 
Internet Research Task Force promotes long-term research on Internet 
protocols, applications, architecture, and technology. Governments, 
business, and civil society can debate governance issues at the Internet 
Governance Forum. On the technical side is the Internet Corporation 
for Assigned Names and Numbers (ICANN), which was created in 
1998 as a U.S. -based, private nonprofit corporation and subsequently 
signed a contract with the U.S. Department of Commerce to take over 
a variety of oversight tasks. ICANN now coordinates Internet Protocol 
(IP) addresses, the numerical sequence that serves as an identifier for an 
Internet server; the Domain Name System, which allows users to refer 
to websites using easier-to-remember domain names rather than the 
all-numeric IP addresses; and the root server system, the master list of 
all top-level domain names. 

Few would credit these groups with a perfect record, but they have 
managed — working without government regulation — to reflect a broad 
range of perspectives and keep pace with rapidly changing technol- 
ogy. They have helped shape a free and open environment in which the 
Internet adapts to change, generates tremendous economic growth, 
and fosters innovation. 
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CHALLENGES 

The open, global Internet is unlikely to continue to flourish without 
deliberate action to promote and defend it. Political, economic, and 
technological forces are seeking to splinter the Internet into some- 
thing that looks more like national networks, with each government 
controlling its domestic sphere as well as the flow of data and informa- 
tion between countries. A global Internet increasingly fragmented into 
national Internets is not in the interest of the United States. 

Justifying their actions by claiming they are protecting children or 
national security, more than forty governments have erected restric- 
tions of information, data, and knowledge flow on the Internet or 
blocked access to sites through other means. Iran, for example, has 
blocked Twitter and YouTube and has announced that all Internet users 
will be forced to use a new system created and restricted by the Iranian 
government. A November 2012 law in Russia created a blacklist of web- 
sites that is purported to limit access to sites that promote suicide and 
illegal drug use, but has also affected political and social groups. These 
restrictions create barriers to the transfer of knowledge among societ- 
ies and run counter to the concept of a free and open Internet. 

Serious differences over whether and how to restrict access to cer- 
tain types of information in cyberspace exist even among multiparty, 
multiethnic democracies. The European Human Rights Commission, 
for example, identifies a "margin of appreciation" — an acceptance that 
some states, depending on cultural or historic traditions, may restrict 
speech and political activity to some degree in order to protect public 
morals. At the same time, the European Court of Human Rights has 
ruled that the Turkish government violated human rights when it 
completely banned YouTube from March 2007 to October 2010. In 
January 2013, a Paris court ordered Twitter to identify the authors of 
anti-Semitic tweets and create a mechanism to alert French authorities 
to "illegal content." British officials called for BlackBerry Messenger 
to be shut off during riots in August 2011, and San Francisco Bay Area 
Rapid Transit authorities turned off wireless networks in stations to 
disrupt protests. Brazil detained a Google executive when the company 
refused to take down videos that criticized a candidate in a mayoral elec- 
tion, releasing the executive only when the company complied with the 
order. India has restricted the number of text messages it allows users 



14 



Defending an Open, Global, Secure, and Resilient Internet 



to send during outbreaks of communal violence and asked Twitter, 
Facebook, and Google to censor sensitive and blasphemous posts. In 
Thailand, broad application of lese-majeste — laws against insulting or 
defaming the monarchy — and the Computer Crimes Act have resulted 
in the restriction of videos on YouTube and long prison sentences for 
bloggers and activists. 

Various nations — China, Russia, Iran, Pakistan, and Saudi Arabia 
among them — want to extend national sovereignty into cyberspace 
and are pushing for a more state-centric system to manage the Inter- 
net. These countries have pursued these goals for many years, but the 
competing visions came to a head in Dubai in December 2012 at the 
International Telecommunication Union's (ITU) World Conference 
on International Telecommunications. In the run-up to the meeting, 
the United States and its allies argued that the Internet should remain 
outside the regulation of the ITU and did not belong in the International 
Telecommunication Regulations (ITRs). When that argument failed, 
the United States rejected the rewritten ITRs, opposing provisions on 
network security, control of spam, the International Telecommunica- 
tion Union's role in Internet governance, and the definitions of authori- 
ties and actors that would have threatened the multi-stakeholder model 
of the Internet and provided justification to states that want to increase 
their surveillance of the Web. The language detailing how cybersecu- 
rity measures would be implemented, for example, was broad enough 
to allow for an abuse of power by states claiming to fight cyber criminals 
but actually cracking down on dissidents. 

Fifty-four other countries joined the United States, but another 
eighty-nine signed the document. Some of the signatories are authori- 
tarian regimes that fear the free flow of information and are happy to 
paint Washington's opposition to the ITU as self-serving, designed to 
protect U.S. influence and the market position of American technology 
companies. Yet a significant number that signed did so because they 
lack cybersecurity or other technical expertise, have a long history of 
dealing with the ITU, and see it as a credible partner. Many of the Afri- 
can countries that signed the treaty, for example, needed help in allevi- 
ating undeserved charges that mobile phone users incur when receiving 
unwanted spam messages on their phones. 

Feeling shut out of the bottom-up model of Internet governance, the 
same states may have little appreciation of the benefits of the process. 
They may not have had close contact with any of the institutions of the 
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multi-stakeholder model. NGOs, especially in the developing world, 
often lack the resources to travel to meetings to participate in relevant 
processes . In addition, some nations have voiced complaints about their 
experiences with the multi-stakeholder model. ICANN 's four- year 
delay in rolling out new international (as opposed to generic) top-level 
domain names, for example, alienated many in the developing world. 12 

The ITRs bind only those that sign them, and so the refusal by the 
United States and its allies created two tiers of treaty status, with the 
United States and abstaining countries remaining on the 1988 ITRs. 
Nevertheless, the division between those nations committed to an 
open, free Internet and those that believe governments should monop- 
olize control of the Internet did not first surface at the WCIT It has, 
however, been a running battle for at least a decade and emerged again 
in May 2013 at the fifth meeting of ITU's World Telecommunication/ 
ICT Policy Forum and at the World Summit on the Information Soci- 
ety. 13 In addition, the ITU has organized study groups to redefine its 
regulatory role in areas such as cloud computing, mobile, and next-gen- 
eration networks. In 2014, the ITU plenipotentiary meeting will define 
the group's mission, rewrite its constitution, and elect a new secretary- 
general. Currently, no candidate for the position is committed to the 
multi-stakeholder process. 

Restrictive and discriminatory operating rules complicate trade and 
slow global economic growth. Filtering, blocking, and other limitations 
on data flow make it more difficult for companies to reach their custom- 
ers and provide services or critical information to be shared globally. 
Governments are also erecting new regulatory barriers to cross-border, 
information- driven businesses. Brunei and Vietnam, for example, have 
data residency laws requiring companies to store the data they collect 
only on in-country servers; such regulations could seriously undermine 
the efficiency of cloud computing — the delivery of data and other ser- 
vices over the Internet — and shut out foreign companies from domestic 
markets. A number of other states are also either considering or have 
proposed regulations that require payment processing systems be 
located within their territories, which would have a similar dampening 
effect on global businesses. 

Moreover, regulations that constrict the flow of information not 
only create disparities among people's access to knowledge but also 
have a negative effect on the shape, architecture, safety, and resilience 
of the Internet. In 2012, for example, two proposals in the U.S . Congress 
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to allow for filtering of the DNS, which would enable the government 
to require U.S. companies to block access to certain websites, posed a 
significant risk to a wider cybersecurity strategy. 14 

Administrative and technological changes over the next few years 
threaten to destabilize the current bottom-up approach to gover- 
nance that combines the private and nonprofit sectors. The expansion 
of the DNS, for example, is intended to enhance competition, inno- 
vation, and consumer choice, but critics fear that without adequate 
coordination and oversight it could instead create consumer confu- 
sion, undermine copyright and brand rights, and increase the oppor- 
tunity for cyber crime. 15 For example, while many of the new generic 
top-level domains (e.g., .app, .search, .cloud, .news, etc.) will be man- 
aged by government entities, municipalities, standards bodies, and 
nonprofits, others will be managed by private companies who may be 
tempted to act as profit-motivated gatekeepers furthering their own 
private interests, rather than as stewards of the public interest manag- 
ing a public resource. 

Furthermore, the original pool of Internet Protocol version 4 (IPv4) 
addresses has nearly been exhausted. When IPv4 was developed in the 
late 1970s, it was hard to imagine that the world would need more than 
four billion unique IP addresses . But with the expansion of Internet use 
around the world, and the explosive growth of broadband services and 
mobile devices, there will soon not be enough addresses for everyone 
(or thing) that requests one. The new technological standard, Inter- 
net Protocol version 6 (IPv6), will provide 340 undecillion addresses, 
but deployment has been slow and unsteady. 16 The new standard is 
not immediately interoperable with the old, and switching imposes 
real costs on Internet service providers. Some of the programs used to 
translate between the two standards degrade performance, and Asia 
is adopting IPv6 at much faster rates; uneven deployment will have a 
negative impact on overall performance. 

CYBER CRIME AND CYBER ECONOMIC ESPIONAGE 

A divided cyberspace is a less than ideal result for the United States, but the 
future could be even more anarchic. Escalating attacks are challenging 
the defenses of even the most sophisticated banks and institutions. In 
September and October 2012, January 2013, and again in March 2013, 
cyberattacks disrupted the websites of Wells Fargo, J. P. Morgan Chase, 



Opportunities and Challenges of the Internet 



17 



Citigroup, U.S. Bancorp, PNC Financial Services, American Express, 
and Bank of America. The attacks did no damage to customer infor- 
mation or the companies' computer networks, but were unusually large 
and used infected servers in data centers around the world. Although a 
hacker group calling itself Izz ad-Din al-Qassam Cyber Fighters took 
credit for the attacks, U.S. officials have argued that the attacks origi- 
nated in Iran or, at the least, were tolerated by Iranian officials. The 
networks of South Korea's three major banks and two largest broad- 
casters were disrupted in March 2013, possibly by North Korean hack- 
ers, during a time of escalating military tension on the peninsula. 

To date, the effects of the attacks have been primarily economic, 
and the estimates of the costs of cyber crime vary widely. Symantec 
Corporation estimates a cost to consumers of $110 billion globally, 
and a PricewaterhouseCoopers report claims a cost of $500 billion in 
2011. One of the first academic studies, however, of direct, indirect, and 
defense costs for credit card fraud, online banking fraud, fake antivi- 
rus, and other scams reported a significantly smaller total of just under 
$25 billion. 17 

Cyber economic espionage targets companies' business strategies, 
intellectual property, and the products of expensive, decades-long 
R&D projects, thus eroding their competitive economic advantage. 
General Keith Alexander, head of the U.S. National Security Agency 
(NSA) and U.S. Cyber Command, has called cyber economic espio- 
nage attacks on American companies the "greatest transfer of wealth in 
history," and estimates that American companies have lost $250 billion 
in stolen information and another $114 billion in related expenses. 18 
Furthermore, these attacks are accelerating, increasing by 75 percent 
between 2011 and 2012, according to the Defense Security Service. 19 
Companies, however, for various legal and economic reasons, are hesi- 
tant to discuss these attacks publicly. The twenty-seven largest U.S. 
companies reporting cyberattacks, for example, say they sustained no 
major financial losses. 20 

DISRUPTIVE AND POLITICAL ATTACKS 

Other attacks have been disruptive and political. In March 2013, Cyber- 
bunker, a Dutch company that hosts a website said to be sending spam, 
launched a record distributed denial of service (DDoS) attack on Spam- 
haus, a volunteer spam filtering organization. ADDoS attack is the use 
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of multiple compromised computers to flood a target with data in an 
effort to knock it offline. In this case, the attack spread to multiple Inter- 
net exchanges and ultimately slowed down traffic for users — primar- 
ily in Europe, but also in the Middle East, Africa, and Asia-Pacific. 21 
Activist hacker groups such as Anonymous and Lulz Security (LulzSec) 
have targeted government agencies, international organizations, and 
multinational corporations. Political hacking, website defacement, and 
DDoS attacks are now a common part of political conflict and even war, 
as seen in some examples from the Middle East and Asia. China-based 
hackers have apparently conducted cyber espionage campaigns against 
civil society actors, exile organizations, political movements, individual 
dissidents, think tanks, and media outlets such as the New York Times, 
Wall Street Journal, Bloomberg, and Washington Post. 

Governments have found cyberattacks to be a useful political and 
military tool, and state-backed attackers were apparently behind Flame, 
malware that stole information from thousands of computers in the 
Middle East; Duqu, a worm that spies on industrial control systems; 
Stuxnet, malware designed to cripple Iran's nuclear centrifuges; Sham- 
oon, malware that struck Saudi Aramco and destroyed data on approxi- 
mately thirty thousand computers; and Red October, malware that 
targets Russian language documents in Eastern European and Central 
Asian countries. Experts estimate that approximately forty countries 
have or are acquiring cyber weapons for use in combat. 22 Former U.S. 
secretary of defense Leon Panetta has warned that governments or 
extremist groups could use cyber tools to gain control of critical indus- 
trial control systems and launch attacks on critical U.S. infrastruc- 
ture, producing widespread destruction equivalent to a "cyber Pearl 
Harbor." 23 Hackers could remotely modify or reprogram industrial 
control systems that control pipelines, train tracks, dams, and electric- 
ity networks, destroying machinery and creating physical damage and 
destruction. In 2011, the Department of Homeland Security (DHS) 
reported a 383 percent increase in attacks on critical infrastructure. 24 

The vivid claim of a "cyber Pearl Harbor" may raise awareness and 
focus policy attention, but the Task Force finds that the most pressing cur- 
rent threat is not likely to be a single, sudden attack that cripples the United 
States. Such attacks involve elaborate intelligence preparation, great 
uncertainty for the attacker, and are subject to some level of deterrence 
through interdependence in the case of major states like China. 23 Rather, 
the Task Force finds that the more likely threat is a proliferation of attacks 
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that steal strategically important or valuable data and destroy confidence in 
the safety and trustworthiness of the Internet. These less-elaborate attacks 
involve less preparation, but can nevertheless do great damage to the 
confidence that makes modern banking, transport, and communica- 
tions systems work. Over time, however, future attacks could become 
even more destructive as cyber weapons and capacities proliferate and 
as electricity, power, transport, and communications infrastructures 
become increasingly dependent on the Internet. The barriers to entry 
are low on cyberattack tools, unlike nuclear weapons, and individuals 
with limited experience can quickly become capable of conducting dis- 
ruptive actions in cyberspace. 

Cyberspace could also become much more Orwellian. Technologies 
that allow for greater geolocation of users and inspection of data may 
improve security by making it much harder to attack anonymously, but 
also may reduce the innovative or generative capacities of the Internet. 
The plummeting cost of data storage and collection, as well as the pro- 
liferation of surveillance and biometric technologies, could strengthen 
authoritarian regimes and severely hamper the ability of individuals to 
organize, spread information and knowledge, and protest. 
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Policymakers have continually struggled with the challenges of the digi- 
tal age. Cyberspace crosses the borders between government agencies, 
the public and private sectors, and nations, forcing all actors into new, 
often uncomfortable relationships and strained cooperation. In addi- 
tion, most policymakers are neither technically knowledgeable nor 
culturally attuned to the ethos of the digital era. The Internet works in 
large part because it is self-organizing, self-policing, and self-balancing. 
Thus, a degree of humility about the extent to which policymakers can 
prevent the most deleterious outcomes and shape the future is in order. 

Policy decisions need to respond to and channel the economic and 
technological forces that are going to drive the evolution of cyberspace. 
Although a U.S. government initiative, Advanced Research Projects 
Agency Network (ARPANET), kick-started the cyber age, the growth 
of these global networks has been determined largely by private and 
commercial forces. The networks that support this platform are dis- 
tributed by and into private hands, and it is technology companies and 
individual end users that will innovate the next generation of technolo- 
gies. Private industry, however, does not speak with one voice. The 
entertainment industry and technology companies, for example, have 
significant differences in attitudes toward Internet regulation and the 
protection of intellectual property. 

Many of the fundamental tenets of U.S. strategy toward cyber- 
space — private sector in the lead, public-private partnerships, infor- 
mation sharing, international outreach — emerged in the 1990s. In 
1998, the Clinton administration released A Framework for Global 
Electronic Commerce, which called for the private sector to take the 
lead in the development of the Internet and for government to avoid 
imposing unnecessary restrictions. A white paper that same year 
called for movement of the DNS from the federal government to a pri- 
vate, nonprofit, internationally representative organization eventually 
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known as the Internet Corporation for Assigned Names and Num- 
bers, or ICANN. Presidential Decision Directive 63 (PDD 63), the first 
national cybersecurity strategy, was released in May 1998 and focused 
on critical infrastructure protection and public-private partnerships, 
and it created several information-sharing organizations such as the 
Information Sharing and Analysis Centers and National Infrastruc- 
ture Protection Center. Later that same year, the Pentagon established 
the first joint cyber war fighting group, the Joint Task Force for Com- 
puter Network Defense. 

The 2003 National Strategy to Secure Cyberspace also concentrated 
on defending critical infrastructure, echoing the calls for private lead- 
ership and better public-private coordination of the preceding policies: 
"In general, the private sector is best equipped and structured to respond 
to an evolving cyber threat." 26 The strategy called for the government 
to work with private industry to create an emergency response system 
to cyberattacks, as well as measures for strengthening counterintelli- 
gence, improving attack attribution, and using international organiza- 
tions to facilitate a "global 'culture of security.'" In the last days of his 
administration, President George W. Bush launched the Comprehen- 
sive National Cybersecurity Initiative (CNCI). 27 CNCI called for the 
development of an intrusion detection system and designated DHS to 
play the lead role in defending government networks, the implementa- 
tion of a government- wide cyber counterintelligence plan, development 
of deterrence strategies, and the definition of the federal government's 
role for extending cybersecurity into critical infrastructure. 

CYBERSPACE AND THE 
OBAMA ADMINISTRATION 

The Obama administration signaled the importance of cybersecurity 
early in its first term. In February 2009, President Obama ordered a 
sixty-day review of cybersecurity plans and programs. 28 The review 
noted that the nation was at a crossroads of maintaining a digital 
infrastructure that encourages efficiency and innovation, and protect- 
ing safety, security, and privacy. It recognized that the private sector 
"designs, builds, owns, and operates most of the digital infrastructure," 
but that the federal government "cannot entirely delegate or abrogate 
its role in securing the nation from a cyber incident or accident." The 
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review recommended the appointment of a cyber policy coordinator, 
dual-hatted to the National Security Council (NSC) and National Eco- 
nomic Council; evaluation and continuation of much of the Compre- 
hensive National Cybersecurity Initiative; and designation of a privacy 
and civil liberties official to the NSC cybersecurity directorate. As 
the administration reportedly had difficulty finding a suitable candi- 
date for the position, much of the attention in the first year after the 
review focused on whether the cyber "czar" would have the appropri- 
ate budget, access to the president, and political authority necessary to 
coordinate the numerous agencies responsible for cyberspace. These 
questions remain today. 

The Obama administration review also called for development of an 
international cybersecurity policy framework, which was released two 
years later, in May 2011. The International Strategy for Cyberspace laid 
out an overarching vision of the agenda for cyberspace: protecting free- 
dom of expression, promoting innovation and protecting intellectual 
property, supporting the multi-stakeholder model, preventing attacks 
and crime, and enabling military operations. The strategy identifies 
the use of diplomacy, defense, and development "to promote an open, 
interoperable, secure, and reliable information and communications 
infrastructure." 29 The diplomatic process is to mirror the processes of 
the Internet itself — "distributed systems require distributed action" — 
and so U.S. diplomats have engaged with multiple actors in multiple 
forums: close partners and NATO; the G8 and regional groupings such 
as the Association of Southeast Asian Nations (ASEAN) Regional 
Forum and the Organization for Security and Cooperation in Europe 
(OSCE); the United Nations and the ITU; and technical and other 
working groups. In addition, the strategy has a deterrence component, 
clearly stating that the United States "will respond to hostile acts in 
cyberspace as we would to any other threat to our country." The U.S. 
response will not necessarily be limited to cyber, but may also include 
diplomatic, informational, military, and economic means. 

The strategy called for U.S. officials to concentrate their efforts in 
eight areas: international standards and openmarkets, network defense, 
military alliances and cooperative security, Internet governance, inter- 
national development and capacity building, the support of Internet 
freedom and privacy, law enforcement, and extending the reach of the 
Council of Europe's Convention on Cybercrime (also known as the 
Budapest Convention). The convention establishes a baseline set of 
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laws; parties to the treaty agree to criminalize computer crimes, includ- 
ing illegal access and interception, data and system interference, misuse 
of devices, forgery, fraud, child pornography, and intellectual property 
offenses. It also requires signatories to cooperate in the investigation 
and prosecution of crimes, though states can opt out of the duty to 
cooperate if the request infringes on sovereignty, security, or other crit- 
ical interests. As of March 2013, thirty-nine countries have ratified the 
treaty, including the United States, but China and Russia are among the 
scores of countries that have not signed. 30 Russia has protested against a 
provision in the treaty that would let foreign investigators work directly 
with network operators and avoid government officials, while other 
nation-states have complained they were not part of the convention's 
creation or are skeptical of the convention's European provenance. 

In May 2010, the United States created U.S. Cyber Command, and 
deterrence and other military components of cyberspace were further 
developed in the 2011 Department ofDefense (DOD) Strategy for Oper- 
ating in Cyberspace. The strategy has five components: treat cyberspace 
as an operational domain — in addition to land, sea, air, and space — to 
organize, train, and equip so that DOD can take full advantage of cyber- 
space's potential; develop the concept of active defense; partner with the 
public and private sectors; leverage talent and innovation; and work 
with U.S . allies and partners to build new cybersecurity relationships. 31 
Notably absent, however, was a discussion of offensive cyber opera- 
tions, for which DOD has developed some classified doctrine and rules 
of engagement, according to press reports. At his confirmation hearing, 
Secretary of State John Kerry called cyberattacks a "twenty-first cen- 
tury nuclear weapons equivalent," and pledged to engage in diplomacy 
and negotiation to establish rules of the road for cyberspace. 

In three speeches over 2010 and 2011, former secretary of state Hill- 
ary Clinton laid out the opportunities arising from and threats to the 
free flow of information on the Internet. 32 Clinton identified informa- 
tion networks as a "new nervous system for our planet" and asserted 
that users must be assured freedom of expression and religion online, 
as well as the right to access the Internet and thereby connect to web- 
sites and other people. The State Department has promoted these four 
freedoms in international organizations and funded the development 
of technologies to allow users to circumvent censorship and remain safe 
online. Officials have also collaborated with grassroots organizations 
around the world to help them use online tools and develop strategies 
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to magnify their influence. The Internet Freedom Fellows program, for 
example, brings human rights activists to Geneva, Washington, and 
Silicon Valley to meet with other advocates, U.S. and international gov- 
ernment leaders, and members of civil society and the private sector. 33 
Clinton also called on private-sector companies to do more to protect 
the flow of information both by resisting calls for censorship from coun- 
tries they do business in and by restricting sales of hardware, software, 
and technology services that could be abused by authoritarian regimes. 
The State Department under John Kerry is expected to make an even 
more aggressive push in using the tools of social networking in public 
diplomacy in order to communicate with citizens in critical countries 
and regions. 

Parallel to these security and diplomatic efforts, the Commerce 
Department's Internet Policy Task Force has been conducting a "com- 
prehensive review of the nexus between privacy policy, copyright, 
global free flow of information, cybersecurity, and innovation in the 
Internet economy." 34 Work in the area of privacy is most developed and 
is expected to serve as a template for the other areas. The basic assump- 
tion is that regulation is necessary to maintain consumer trust, but 
should remain light to promote innovation and growth. For example, 
the Consumer Bill of Rights is not prescriptive but a code of conduct 
developed in cooperation with industry and civil society, which could 
become legally enforceable. The Department of Commerce is also 
working with the Asia-Pacific Economic Cooperation (APEC) forum 
and the European Union (EU) so U.S . standards on privacy are interop- 
erable with global practices. In addition, Commerce and the U.S. Trade 
Representative (USTR) should also support other nations' efforts to 
protect intellectual property and protect against illegal piracy of copy- 
righted works. 

GUIDING PRINCIPLES: THE UNITED STATES 
SHO ULD GET ITS HO USE IN ORDER 
AND WORK WITH PARTNERS 

More than any of its predecessors, the Obama administration has devel- 
oped a comprehensive and energetic strategy for cyberspace. But for the 
United States to build on these policy efforts, it needs to get its domes- 
tic house in order. Given its historic role in developing the Internet and 
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because U.S. companies and universities remain at the technologi- 
cal cutting edge, the United States continues to be an important role 
model, both positively and negatively. Washington's influence is more 
likely to be positive when it recognizes cyberspace is a global issue, not 
one simply of national economic, strategic, and political interest. Previ- 
ous success in areas such as democracy promotion and human rights 
depended heavily on leadership by example. If the United States wants to 
lead in cyberspace, it should practice what it preaches. 

The lack of U.S. coordination and coherent vision and the absence of 
appropriate authority to implement policy are important barriers to global 
leadership for the United States. Cyberspace policymaking is spread pri- 
marily among the White House and the Departments of Defense, State 
(DOS), Commerce, Justice (DOJ), and Homeland Security; no single 
individual or agency is in charge, short of the president. Decentralizing 
the process has advantages, but the White House needs to better define 
national roles, strategies, and responsibilities, especially among the trio 
of D OD, DHS, and D OJ . 

The erratic and somewhat desultory debate on domestic regulatory 
standards for cybersecurity risks ceding the initiative to more active 
parties, especially the European Union. This may happen even without 
the EU actively imposing or other states willingly adopting European 
standards. In a number of economic sectors, regulations have migrated 
from Brussels to other economies in part because of market size and 
the EU capability, as well as the prohibitive cost to firms of maintaining 
different standards in different markets. 35 

The United States should be cognizant that its actions at home rever- 
berate abroad. The State and Commerce Departments, for example, 
promote ICANN's role in the multi-stakeholder model of Internet 
governance as counter to the ITU. Many states are already skeptical of 
ICANN's autonomy from U.S. government control, given its history 
and the Commerce Department's contract with ICANN. Congres- 
sional efforts to pressure the Commerce Department to have ICANN 
respond to demands outside of the usual consultative process under- 
mine executive branch efforts to make ICANN more of an independent, 
truly global, and representative policy authority. 36 

When the United States works counter to its principles and restricts 
cyberspace, it provides justification and coverage to other states looking to 
limit the openness of the Internet. Other countries act based upon what 
the United States does rather than what it says. Beijing and Moscow 
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often argue that their efforts to control the free flow of information 
are no different than those of Washington, Paris, or Berlin to block 
access to pirated materials or limit offensive speech. Censorship, 
blocking, and filtering may generate reactions from actors that may 
create unknown outcomes or actually worsen the health, security, and 
resilience of the Internet. 37 

The United States should do more to engage other states in cyber- 
space. Cybersecurity cooperation and collaboration is being expanded 
among the Five Eyes (the Technical Cooperation Program composed 
of Australia, Canada, New Zealand, the United Kingdom, and the 
United States); the United States and Australia have declared that their 
mutual defense treaty applies to cyberattacks; and the United States, 
through integrated government agency participation or a "whole-of- 
government" approach, has begun to hold cyber bilateral meetings 
with India, Brazil, South Africa, South Korea, Japan, and Germany 
that include representatives from the Departments of Defense, State, 
Commerce, Justice, and Homeland Security. The United States is also 
working with its negotiating partners to make sure that the forthcom- 
ing Trans-Pacific Partnership (TPP) trade agreement codifies the free 
flow of information across national boundaries. 

The United States has also had success in promoting the free flow of 
information and knowledge both by appealing to established national 
and international norms and by working in tandem with and sometimes 
ceding the lead to other countries. For example, in 2011, the Netherlands 
organized a meeting of governments to stand up for free expression 
on the Internet. The eighteen governments that make up the Freedom 
Online Coalition are often able to conduct discussions without provok- 
ing the same level of suspicion and opposition that the United States 
alone has to overcome. 38 

This traditional state-to-state diplomacy is necessary, but nowhere 
near sufficient for cyberspace. Righting domestic policy is important, 
but the United States cannot go it alone. It is necessary for the United 
States to identify partners among governments, the business community, 
and civil society at home and abroad. Sharing leadership in cyberspace 
is essential if the United States is to maintain and improve what it has 
helped to build. 

Numerous civil actors such as the Global Network Initiative, Open- 
Net Initiative, Electronic Frontier Foundation, and the Center for 
Democracy and Technology advocate for openness and human rights 
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on the Internet. Close coordination with Sweden and the Netherlands 
on efforts to promote the right to connect work in tandem with the U.S . 
State Department getting circumvention tools in the hands of indi- 
vidual users and running "tech camps" for NGOs around the world. 
Similarly, any effort to develop rules, institutions, and norms for cyber- 
security should involve private companies, international law enforce- 
ment, and international legal experts. 



Recommendations: The United States 
and Its Partners Should Promote 
a Positive Agenda for Cyberspace 



For at least two decades, it has been clear that the U.S. government 
has been unable to keep up with the pace of technological change. 
Moore's law purports that many of the capacities of digital technol- 
ogy double every two years . But, with procurement processes that can 
require eighteen to twenty-four months, the government is always 
chasing the next wave and operating with outdated equipment. 39 
Moreover, today's threats compress time and ignore geography in 
ways that overtax the capacities of even the best institutions. In the 
past, most threats could be seen over the horizon, across national 
borders, and prepared for over weeks, months, or years. By contrast, 
cyberattacks ignore territorial boundaries and can be indistinct from 
criminal activity. Attackers can be inside U.S. networks in minutes, 
if not seconds. Given the speed of cyberattacks, thoughtful delibera- 
tion during an event may be difficult, if not impossible; much of the 
response to cyber events will be automated, requiring the pre-posi- 
tioning of resources and authority. 

It is not just conflict that is accelerated. Previously, countries with 
rising economies developed advanced scientific and research capabili- 
ties over a span of decades. Now, countries that want to move up the 
value chain can steal the results of years of research and development 
and billions of dollars' worth of intellectual property from their trading 
partners in a matter of hours. 

Successfully meeting the challenges of the digital age requires an expan- 
sive and far -reaching rethinking of institutions and processes designedfor the 
twentieth century. The authorities given to the Department of Justice, the 
Department of Defense, and the intelligence communities in the Title 
10, 18, and 50 codes, for example, were developed when threats mate- 
rialized over time and there was a clearer distinction between external 
and internal threats and criminal and military activity. Other countries, 
moreover, are not constrained by such distinctions. U.S. policymakers 
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need to fix the disconnect between existing capabilities and jurisdiction and 
determine how best to reform and remake government agencies. 

For the near term, the Task Force identifies the following foreign 
and trade policies in the areas of security and resilience, trade, and 
governance. 

SECURITY AND RESILIENCE 

As part of the effort to help build a safe and resilient Internet ecosystem, 
the Task Force recommends the following: 

■ The United States should help create a cyber alliance of like-minded 
actors — including governments, companies, NGOs, and the non- 
commercial sector — based on a common set of practices and 
principles. 

■ The United States — first with its allies and then with other states — 
should adopt a whole-of-government approach that involves inte- 
grated government agency participation to limit the exposure of 
industrial control systems to damaging attacks and controlling the 
growing market in and proliferation of cyber weapons. 

■ The State Department and the Justice Department should work with 
like-minded nations to build an International Cyber Crime Center. 

■ Senior U.S. government officials should adopt a greater degree of 
transparency about the potential offensive use of cyber weapons. 

■ The State and Defense Departments should secure the cooperation 
of other states, civil society groups, and international legal experts, 
especially from the developing world, to clarify and expand the 
acceptance of the laws of armed conflict to the cyber domain. 

■ The United States should develop a strategy to counter cyber eco- 
nomic espionage that includes incorporating the prohibition against 
economic cyber espionage in multilateral and bilateral agreements, 
as well as directing national security resources to identify and collect 
intelligence on foreign efforts to target specific U.S. companies. 

■ Congress should consider amending statutes such as the Computer 
Fraud and Abuse Act so the private sector has greater certainty 
about whether it can take active defense and more offensive-oriented 
actions in cyberspace to protect its property. 
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■ The U.S. government should recruit, train, and retain a specialized 
cyber service. 

■ Congress should pass sensible cybersecurity legislation that allows 
for the rapid sharing of threat information. 

■ The White House should strengthen the coordinating authority 
of the National Cybersecurity and Communications Integration 
Center, as well as increase the authority of cyber policymakers across 
the government. 

CREATE A CYBER ALLIANCE 

During the Cold War, the United States signaled its commitment to 
and built security cooperation through the North Atlantic Trade Orga- 
nization (NATO) and other alliance agreements. Within NATO, the 
member countries are committed to a mutual self-defense agreement 
that treats an attack on one by an external party as an attack on the 
group. NATO has few forces of its own, but it does have an integrated 
military structure to field and command member-country forces once 
they agree to a NATO -related mission. NATO is also a political alliance, 
promoting democratic values and shared interests and partnering with 
other nations and international organizations, such as Japan and South 
Korea, and the United Nations. 

Washington should build a cyber alliance, a coalition of like-minded 
actors — including governments, companies, and NGOs — based on a 
common set of Internet practices and principles. This should happen 
at multiple levels with different sets of actors. The result should be a 
number of flexible groupings linked together in a consortium for an 
open, global, secure, and resilient Internet. 

The United States already has growing commitments to its allies 
and partners in cybersecurity. NATO has agreed to include cyber in 
the defense planning process; provide coordinated assistance if an ally 
or allies are victims of a cyberattack; develop early warning, situational 
awareness, and analysis capabilities; and help members achieve a mini- 
mum level of defense and reduce vulnerabilities of national critical 
infrastructures. 40 The Australia, New Zealand, and United States Secu- 
rity Treaty (New Zealand is an inactive member) has been extended to 
cover cyberattacks, and a substantial attack could trigger the use of the 
alliance to allow for technical cooperation among the countries. 
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But there are opportunities for greater leadership. Other nations are 
looking to Washington to do more diplomatically to better coordinate 
and integrate cyber defense. The Defense Department should expand 
military-to-military contact and training of civilian and defense author- 
ities, conduct joint cyber exercises, develop a common set of security 
practices and technology standards, and share data on threats and reme- 
diation. The Pentagon and the State Department should also continue 
to work with close friends and partners to offer technical assistance to 
less-developed countries. 

First with its allies and then with other states, the United States should 
cooperate on limiting the exposure of industrial control systems to dam- 
aging attacks and controlling the growing market in and proliferation of 
cyber weapons. 41 These types of discussions are sensitive and probably 
classified, but frank discussions are needed to extract best practices and 
identify mutual threats. The Department of Homeland Security should 
expand engagement with foreign counterparts in discussions on the 
capabilities of terrorist groups, as well as best practices for security in 
the oil, chemical, energy, and telecommunications sectors. Intelligence 
and law enforcement agencies should look for more aggressive ways to 
find and shut down the online black markets that proliferate malware 
that could harm industrial control systems. The United States has a 
long history of such intelligence sharing and cooperation with foreign 
partners, even on sensitive matters when interests align, such as has 
been the case in combating terrorism. 

With other like-minded states, the United States should address theprob- 
lem of sanctuary states — territories unwilling or unable to rein in cyber 
crime. Beyond the positive economic impact and improvement in public 
trust that a reduction in theft would bring, it would also filter out some 
of the background noise for state-backed cyber espionage or other 
attacks. Criminal and espionage networks are converging, with spies 
and criminals sharing methods, targets, and exploits. 

As noted earlier, the State Department has promoted the Budapest 
Convention on Cyber Crime as a mechanism for addressing interna- 
tional crime. The convention is a useful process, and a number of coun- 
tries, including Japan and Australia, have recently ratified the treaty. 
Still, it appears unlikely that the convention's norms will be globally 
accepted, especially as Russia, China, and other important economic 
actors remain outside of the convention. With its partners, the United 
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States should increase both public pressure and offers of technical assis- 
tance to police and incident response teams. 

The State Department and Justice Department should work with like- 
minded nations to build an International Cyber Crime Center that focuses 
on solving crimes and achieving successfulprosecutions and to expand exist- 
ing mechanisms, such as INTERPOL, that focus on apprehending cyber 
and traditional criminals. 42 Member states could also complain to the 
center when they feel that they have not received adequate assistance 
from other governments. The center would publicly name and pressure 
states that give sanctuary to cyber criminals and provide a grievance 
procedure for members that felt they did not receive adequate assis- 
tance from other governments. The center would also work alongside 
the INTERPOL Global Complex for Innovation, which will open in 
Singapore in 2014. 43 The complex will function as an R&D lab, training 
facility, and forensics lab for cyber crime. 

A cyber alliance needs to be expansive, embracing more than state- 
to-state diplomacy and involving private companies, international law 
enforcement, and NGOs. For instance, the Conficker Working Group, a 
coalition of public and private cybersecurity organizations, companies, 
and researchers, worked to prevent the spread of a computer worm and 
block the infected computers from receiving updates and commands. 
The Federal Bureau of Investigation (FBI), Facebook, and law enforce- 
ment agencies in Bosnia and Herzegovina, Croatia, Britain, New Zea- 
land, and Peru cooperated to dismantle the Butterfly botnet, a collection 
of compromised computers controlled by a third party. 

In the case of DDoS attacks, private companies, civil society 
groups, and governments can increase resilience through mutual aid 
agreements. Website operators, for example, can link and mirror other 
third-party sites. If the third-party site goes down, other sites can show 
users' stored versions of what was on the attacked site. 44 The Depart- 
ment of Homeland Security should also offer grants and prizes to tech- 
nology or business groups that help colleagues to mitigate intrusions 
and DDoS attacks. 

In sum, the United States needs to be willing to work with a range of actors 
that can help build, protect, and maintain a safe operating environment. The 
World Economic Forum, for example, is promoting the Principles for 
Cyber Resilience through global partnerships with public and private 
actors. Signatories of the principles commit themselves not only to rais- 
ing their ability to protect digital assets but also to protect others. 45 
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SUMMARY OF RECOMMENDATIONS 

■ Washington should build a cyber alliance, a coalition of like-minded 
actors based on a common set of Internet practices and principles. 

■ The Defense Department should expand military-to-military con- 
tact and training of civilian and defense authorities, conduct joint 
cyber exercises, and share data on threats and remediation. 

■ The Department of Homeland Security should expand engagement 
with foreign counterparts in discussions on the capabilities of terror- 
ist groups, as well as best practices for security in the oil, chemical, 
energy, and telecommunications sectors. 

■ Intelligence and law enforcement agencies should look for more 
aggressive ways to find and shut down the online black markets that 
proliferate malware that could harm industrial control systems. 

■ The State Department and Justice Department should work with 
like-minded nations to build an International Cyber Crime Center 
that addresses the problem of sanctuary states — territories unwill- 
ing or unable to rein in cyber crime — and focuses on solving crimes 
and achieving successful prosecutions and to expand existing 
mechanisms. 

■ A cyber alliance should involve private companies, international law 
enforcement, and NGOs. 

ADOPT A GREATER DEGREE OF TRANSPARENCY 

Although public officials have warned about the threat of a "cyber Pearl 
Harbor" or "digital gjn," the Task Force sees widespread cyber economic, 
political, and military espionage against defense, government, andprivate- 
sector networks as the most immediate threat to economic and national 
security interests. The capacity to launch a sudden strike that destroys or 
disrupts a large swath of critical infrastructure is most likely limited to 
a few nation-states. These actors should be deterred by the expectation 
that the United States could respond to a cyberattack through a combi- 
nation of retaliatory cyber and kinetic attacks, as well as diplomatic and 
other measures. 46 

The U.S. government is more likely to be able to attribute a devastat- 
ing attack to a specific state actor, especially if it comes during a geopo- 
litical crisis, but the genesis of attacks at a lower threshold may remain 
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unknown and will continue. These low-intensity attacks can have a 
long-term corrosive effect on the trust and integrity of the networks 
that are the foundation of the banking, transport, and communications 
systems. Furthermore, over time, the capability to conduct more dam- 
aging attacks will spread to states that may be harder to deter, as well as 
to extremists, lone wolves, criminal entities, and other nonstate actors. 

It is widely assumed that offense has — and will continue to have 
in the foreseeable future — the advantage over defense in cyberspace. 
Improved defense and greater resiliency are necessary but not suffi- 
cient. The defense has to secure tens of millions of lines of code and 
billions of items of data across hundreds of networks and thousands of 
devices, which are often maintained by private actors and individuals. 
As a result, offensive capabilities are required to deter attacks, and, if deter- 
rence fails, to impose costs on the attackers. 

This offensive dominance, along with the problem of attribution 
and low barriers to entry, make cyberspace a highly unstable strategic 
environment. Given the speed of potential strikes, nation-states have 
strong incentive to strike first, to take out an adversary's communica- 
tion, electric, and transportation grids before it strikes. Former secre- 
tary of defense Leon Panetta recently said that the United States may 
also consider preemptive strikes if it detects "an imminent threat of 
attack that will cause significant physical destruction in the United 
States or kill American citizens." 47 The concept of imminence in the 
cyber realm, however, remains legally and doctrinally nebulous. 48 This 
ambiguity makes coordination with allies more difficult since they may 
have a different legal interpretation of what is permissible. It increases 
the chances for miscalculation since legal boundaries can be useful for 
signaling and unclear ones can contribute to miscommunication, in 
addition to making it more difficult to predict international reactions to 
moves and countermoves in cyberspace. 

After a long period in which U.S. officials hesitated to speak about 
offensive capabilities, over the last two years there have been a series 
of leaks to the press and public pronouncements on the development 
of cyber weapons. Reports in the New York Times and Washington Post 
have credited the United States and Israel with being behind Stuxnet, 
the malware designed to slow Iran's nuclear program as part of a secret 
operation code-named Olympic Games. 49 

Arguments in support of Stuxnet or other covert operations are 
based in part on the alternatives. That is, an attempt to slow Iran's 
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nuclear program with malware that killed no one is politically and stra- 
tegically preferable to commando raids, air strikes, or missile strikes 
that are likely to cause much greater physical damage and a number of 
deaths. Given the United States' high degree of vulnerability to cyber- 
attacks, there is concern that an operation like Stuxnet may create 
blowback or provide cover for an adversary to conduct a similar attack. 
Iran appears to have accelerated its cyber programs after the attack. 
There is also a negative impact on the United States' ability to convince 
other states of the need for norms of peaceful conduct in cyberspace 
if they believe Washington has already used cyber weapons. But it is 
also true that many potential adversaries have been thinking about and 
developing offensive capabilities long before Stuxnet was ever devel- 
oped, and the United States was no more vulnerable after Olympic 
Games was revealed than it was before. The public, however, is unable 
to fully participate in the debate on the merits of these types of uses of 
cyber weapons because of a high degree of secrecy. The Task Force calls 
for a more open public discussion and, where appropriate, the declassifica- 
tion ofi information. 

Despite severe constraints in almost every other part of the defense 
budget, funding for computer network warfare is growing; the 2014 
budget request includes $4.7 billion for cyberspace operations, a 20 
percent increase from this year. 50 U.S. Cyber Command is reportedly 
expanding by more than fivefold, from nine hundred to forty-nine hun- 
dred personnel, and creating three types of forces: national mission 
forces, to protect critical infrastructure and defend against national- 
level threats; combat mission forces, assigned to the operational con- 
trol of individual combatant commanders, to plan and execute attacks; 
and cyber protection forces, to defend the Defense Department's net- 
work. 51 Within the national mission forces, the Pentagon will report- 
edly create thirteen offensive teams by 2015 and twenty-seven within 
the combat mission forces to support the Pacific, Central, and other 
combatant commands as they plan offensive cyber operations. 52 

According to press reports, the Pentagon has developed classified 
rules of engagement for battle in cyberspace, which would guide com- 
manders on when they could leave government networks to conduct 
offensive and defensive operations. In November 2012, President 
Obama reportedly signed Presidential Policy Directive 20, which 
"established principles and processes for the use of cyber operations," 
including the offensive use of computer attacks. 53 Offensive cyber 
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operations outside a war zone are said to require presidential permis- 
sion; even self-defense involving cyber operations outside military 
networks that could be construed as a use of force require presidential 
authorization. In addition, a legal review purportedly concluded that 
President Obama has the broad power to order a preemptive strike 
if the United States detects credible evidence of an imminent major 
cyberattack. 54 

This is progress compared with past reticence about offense, but 
U.S. government officials still publicly frame offensive military opera- 
tions as defensive. 55 The Task Force supports the U.S. government's 
right to develop offensive capabilities, but calls for greater transpar- 
ency about how and when such capabilities might be used. As the 
Defense Science Board argues, the United States needs to "clearly 
indicate that offensive cyber capabilities will be utilized (preemptively 
or in reaction, covertly or overtly), in combination with other instru- 
ments of national power, whenever the National Command Author- 
ity decides that it is appropriate." 56 

These statements should be linked to and reinforced by the United 
States' argument that the laws of war apply to cyberspace. State Depart- 
ment officials have said that that international humanitarian law can 
be extended to this new cyber domain, addressing the legal requirement 
of necessity in using force, what constitutes an act of force — "cyber 
activities that proximately result in death, injury, or significant destruc- 
tion would likely be viewed as a use of force" — as well as the principles 
of proportionality, neutrality, and distinction. 57 But states like China 
question whether existing international laws apply to cyber and believe 
that cyberspace requires a new set of laws and treaties. 

It is essential for the leading nations to agree on a set of norms for activ- 
ity and engagement in cyberspace; a failure to agree will be destabiliz- 
ing, increasing the chances of misperception, misunderstanding, and 
escalation. Perhaps even more disruptive to stability, nonstate actors 
frequently operate under the cover of a sovereign state. One country 
may see its action as permissible, the other as an act of war. 

Determining the boundaries of cyber war is an area where the United 
States cannot go it alone. The State Department has been discussing 
these issues with the Groups of Governmental Experts (GGE) at the 
UN, which is made up of diplomats from fifteen countries, including 
Russia, China, Australia, Japan, and Egypt, and at the OSCE. 5S The 
State and Defense Departments should secure the cooperation of other 
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states and civil society groups to clarify and expand the acceptance of 
these norms. 

The Tallinn Manual, written by a group of international experts 
at the invitation of NATO's Cooperative Cyber Defence Centre 
of Excellence, addresses many of the specific applications of law to 
cyberspace. 59 The United States may not agree with all of the find- 
ings of the report, but this was a useful process that should be repli- 
cated in other forums with other groups of contributors. The State 
and Defense Departments, for example, should call together a group 
of legal advisers from Kenya, Brazil, China, India, Tunisia, South 
Africa, Turkey, and other important developing cyber powers to work 
on these questions. 

Recent reporting suggests that China-based hackers broke into the 
computers of a company that monitors more than half of the oil and gas 
pipelines in North America. In this instance, it is uncertain whether the 
attackers were trying to steal industrial secrets to pass to Chinese com- 
panies or were planning to plant malware that would eventually shut 
down the energy system. 60 This ambiguity points to the need for contin- 
ued discussions with partners and potential adversaries about the laws 
of armed conflict in cyberspace, the definition of legitimate targets, and 
how states signal intentions and control escalation. These discussions 
should focus on penetration and exploitation of industrial control sys- 
tems, and are important in preventing miscalculations and mispercep- 
tion in cyberspace. 

The State and Defense Departments should also continue to take 
active leadership in regional security groupings such as the OSCE, the 
ASEAN Regional Forum, and the Organization of American States on 
cyber-related confidence-building measures. These measures might 
include identifying points of contact within governments, joint training 
exercises, and developing crisis communication mechanisms. 

SUMMARY OF RECOMMENDATIONS 

• The Obama administration should clearly state that the United States 
has the right to conduct offensive operations. 

■ The State and Defense Departments should call together a group of 
legal advisers from important developing cyber powers to discuss 
applications of international law to cyberspace. 
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■ The State and Defense Departments should take active leadership in 
regional security groupings such as the OSCE, the ASEAN Regional 
Forum, and the Organization of American States on cyber-related 
confidence-building measures. 

DEVELOP A STRATEGY TO COUNTER 
CYBER ECONOMIC ESPIONAGE 

U.S. government officials have clearly and accurately stated the threat 
of economic espionage to national and economic security. The Office 
of the National Counterintelligence Executive, for example, argues that 
"losses of sensitive economic information and technologies to foreign 
entities represent significant costs to U.S. national security." 61 Esti- 
mates of the effect of cyber espionage on U.S. GDP range from o.i per- 
cent ($25 billion) to 0.5 percent ($125 billion). 

Having identified the threat, U.S. authorities must now act to combat it. 
Failing to address the espionage issue makes it far more likely that distrust 
and conflict will rule thefuture of cyberspace. Not only will nation-states 
seek to disrupt the capabilities of those they believe are stealing their 
trade secrets and intellectual property, but the number of actors could 
also multiply as companies and "privateers" use unregulated hack- 
backs and other illegal offensive cyber operations against hackers. 

In February 2013, the Obama administration released the Strategy on 
Mitigating the Theft of U.S. Trade Secrets. 62 The strategy is primarily a 
continuation of policies already in place: promoting best practices to 
help industries protect against theft, enhancing U.S. law enforcement 
operations to increase investigations and prosecutions, and applying 
diplomatic pressure on foreign leaders to discourage theft. But the strat- 
egy does state that if diplomatic efforts are ineffective, the United States 
will use trade policy tools to press other governments for better protec- 
tion and enforcement. These include mechanisms to target weaknesses 
in trade secret protection through enhanced use of the Special 301 pro- 
cess, the USTR's annual review of intellectual property protection and 
market access practices in foreign countries, and to include trade secret 
protections in new agreements like the Trans-Pacific Partnership. 

Espionage, of course, has always been practiced. It is to be expected 
that nation-states will continue to conduct political and military cyber 
espionage, and international norms and agreements prohibiting gen- 
eral espionage are unlikely and undesirable. The State and Commerce 
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Departments, however, should work for a norm that bans large-scale 
commercial espionage, though this may be difficult to accomplish 
because some friends and allies of the United States do partake in the 
practice. In an effort to force these partners to justify their position, the 
United States should explicitly open a dialogue on commercial espionage 
and state why the government and companies domiciled, owned, traded, or 
regulated within the United States do not legally steal corporate secrets and 
can and have been prosecuted for doing so. President Obama, for exam- 
ple, has now publicly called out China on its cyber economic espionage 
campaign: "We've made it very clear to China and some other state 
actors that . . . we expect them to follow international norms and abide 
by international rules." 63 

The United States, the countries of the EU, Japan, and other like- 
minded countries should partake in a process similar to that used in 
building support for the proliferation security initiative (PSI), a global 
effort to prevent trafficking of weapons of mass destruction. 64 This 
would involve incorporating the prohibition against economic cyber 
espionage in multilateral and bilateral agreements, and perhaps even- 
tually pursuing sanctions or other measures to restrict market access 
at the World Trade Organization (WTO). It would also require the 
prosecution of foreign nationals for economic espionage originating 
outside national boundaries. The Department of Justice recently set up 
a National Security Cyber Specialist program to help indict state-spon- 
sored cyber attackers, although prosecution remains difficult. 

In addition, the private sector should consider targeted civil lawsuits or 
international arbitration proceedings against enterprises that benefit from 
stolen data. Congress should amend the Computer Fraud and Abuse 
Act, strengthening the civil remedies provisions with specific dollar 
amounts in regard to the value of the theft and the civil penalties that 
can be leveraged against the attackers. The courts should also consider 
commercial damages. The precedent of this would be patent infringe- 
ment cases, in which actual damages are generally tripled for those 
found guilty of willful infringement. If found guilty, a Chinese company 
would be raising costs for other companies, damaging its own credibil- 
ity as a business partner, and driving a wedge between Chinese compa- 
nies and state-backed hackers. 

At home, the United States should implement an interagency economic 
counterespionage program that will help prevent foreign services and cor- 
porate competitors from stealing secrets from U.S. industry. The Obama 
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administration appears to be moving in that direction, especially with 
the public naming of China as one of the major sources of cyber espio- 
nage by National Security Adviser Tom Donilon and a more forceful 
effort by senior diplomats to raise the issue with China. However, the 
issue extends far beyond China. 

New policies should include directing national security resources 
to identify and collect intelligence on foreign efforts to target specific 
U.S. companies. An economic counterespionage policy of assisting 
specific U.S. companies when they have been individually targeted can 
avoid the conundrum of economic espionage, in which it is difficult to 
share the fruits of economic espionage fairly, equitably, and securely 
among U.S. industry. Foreign economic espionage usually benefits a 
state or a state-aligned corporation. The Treasury and Commerce 
Departments should develop sanctions against these offenders, and 
the United States should work through the WTO, INTERPOL, and 
other international organizations to develop norms and sanctions 
against economic espionage. 

These policies would build on and take advantage of some of the 
existing programs for information sharing — the Defense Industrial 
Base cyber pilot (now known as the Enhanced Cybersecurity Ser- 
vices) and the Enduring Security Framework — but should also merge 
information collected by the intelligence agencies with the intelligence 
gathered by the private sector, as well as the firms conducting forensic 
investigations of the breaches. Merging the information collected by 
law enforcement and intelligence agencies with the type of information 
collected in a private-sector forensic investigation would result in a fun- 
damentally different — and actionable — perspective on the threat. 

SUMMARY OF RECOMMENDATIONS 

■ The United States should open a dialogue on commercial espionage 
and state why the government and companies domiciled, owned, 
traded, or regulated within the United States do not legally steal cor- 
porate secrets and can and have been prosecuted for doing so. 

■ The United States, the EU, Japan, and other like-minded partners 
should incorporate the prohibition against economic cyber espio- 
nage in multilateral and bilateral agreements, and perhaps eventually 
pursue sanctions or other measures to restrict market access at the 
World Trade Organization. 
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■ The private sector should consider targeted civil lawsuits or interna- 
tional business arbitration proceedings against enterprises that ben- 
efit from stolen data. 

■ The United States should implement an interagency economic coun- 
terespionage program to prevent foreign services and corporate 
competitors from stealing secrets from U.S. industry. This would 
include directing national security resources to identify and collect 
intelligence on foreign efforts to target specific U.S . companies. 

■ This effort should merge information collected by the intelligence 
agencies with the intelligence gathered by the private sector, as well 
as by firms conducting forensic investigations of the breaches. 

CLARIFY THE STATUTES SURROUNDING 
ACTIVE DEFENSE 

As more cyberattacks on companies, the media, think tanks, civil soci- 
ety groups, and prominent individuals have become publicly known, 
the debate over whether private actors should be allowed to partake in 
active defense, or forms of defense that extend beyond a company's fire- 
wall, has become increasingly visible. The more offensive-oriented and 
legally questionable forms of these measures are sometimes referred 
to as "hacking back." In one survey, more than half of the respondents 
thought their companies should have the ability to hack back against 
their attackers. In another study, more than one-third admitted that 
they had already done so. 65 

The private sector and the U.S. government should work together to 
define and structure the concept of active cyber defense and to explore 
whether a regulated private security industry can successfully address the 
threats. Congress should consider amending statutes such as the Com- 
puter Fraud and Abuse Act so the private sector has certainty about 
what actions it can take to protect its property. 

The promotion of active defense has been motivated by the rising 
capabilities of private actors and the recognition of the limitations on 
national authorities to respond effectively. Companies and others also 
recognize that firewalls, patching vulnerabilities, cyber hygiene, and 
other passive defenses are inadequate to defend against increasingly 
persistent, capable, and often state-backed adversaries. Proponents 
also argue that active defenses can raise the cost to attackers, in addition 
to gathering intelligence on them to prevent future attacks. 
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Active defense, however, is an ill-defined concept, and govern- 
ment and industry interpretations differ. It can include actions that are 
unlikely to be illegal, such as creating fake data and using honeypots or 
decoy networks to collect information on hackers, to the legally ques- 
tionable, such as unilaterally taking down botnets and destroying the 
companies' own data held on third-party servers. Some have suggested 
the use of tracking beacons inside files that are at risk of being stolen, 
using disinformation, and planting fake data. 

Active cyber defense presents significant threats and risks. A truly 
determined attacker may neither cease from current attacks nor be 
deterred from future attacks in the face of hacking back, but instead 
may escalate the conflict. Private actors could also damage innocent 
third parties, negatively affect diplomatic relations with states, or cause 
inadvertent escalation with a state actor. In addition, active defenses 
could interfere with an ongoing FBI investigation related to the same 
cyberattack that the active defense private actors are retaliating against. 

SUMMARY OF RECOMMENDATIONS 

• The private sector and the U.S. government should define and struc- 
ture the concept of active cyber defense and explore whether a regu- 
lated private security industry can successfully address the threats. 

■ Congress should amend statutes such as the Computer Fraud and 
Abuse Act so the private sector has certainty about what actions it 
can take to protect its property. 

CREATE A CYBER SERVICE 

To prevent and respond to a catastrophic attack, the U.S. government will 
need to mobilize a well-trained cyber workforce. The current workforce 
is fragmented, divided among numerous agencies with different mis- 
sions. No standard government process for recruitment, training, or 
evaluation exists. Talent shortages already exist and will worsen. More 
than 80 percent of the federal cybersecurity professional workforce is 
over forty years old, and only 5 percent is thirty years or younger. One- 
third of the federal workforce is expected to retire over the next three 
years. 66 One estimate puts future shortfalls at between twenty thou- 
sand and forty thousand people for many years out, and competition 
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among government contractors, federal agencies, and the private sector 
for workers with hands-on experience defending networks from mali- 
cious attacks is intense. 67 

Over the long term, in order to expand the pipeline of people in cyber- 
security, the United States will have to raise graduation rates in the fields 
of science, technology, engineering, and mathematics (STEM) — especially 
among women, who are particularly underrepresented in the field. In 2012, 
the Homeland Security Advisory Council offered recommendations 
on how DHS might improve recruitment, training, and retention by 
making the hiring process smoother, establishing two-year, commu- 
nity-college based training programs, enhancing opportunities for 
veterans, and establishing a pilot Cyber Reserve program that ensures 
DHS cyber alumni and other talented cybersecurity experts outside of 
government are known and available to DHS in times of need. 68 These 
DHS recommendations should be acted on. 

Congress is also considering creating Cyber and Computer Net- 
work Incident Response Teams in the National Guard. 69 These teams, 
to be located in all fifty states and the District of Columbia, would lever- 
age private- sector information technology (IT) expertise by combining 
both active and traditional Guard members. Governors would mobi- 
lize these teams for domestic incident response as well as to support 
existing DHS, DOJ, Secret Service, and state and local cyber efforts, 
and the secretary of defense would mobilize them for national defense 
under Title 10 status when necessary. Congress should move forward 
and create these National Guard teams. 

These are worthwhile and useful recommendations that the Task 
Force supports, but workforce shortages are felt across almost every 
agency. The government should develop a cyber service for use by multiple 
branches of the U.S. government. There are risks that members of the ser- 
vice would not be familiar with the issues central to specific agencies, 
but these exist in other services as well and could be addressed through 
joint appointments, as happens now with FBI agents detailed to the 
CIA, for example. This is a more ambitious undertaking than improving 
cyber training for government employees within agencies. This would 
be a new professional career service comparable to the Foreign Service, 
National Clandestine Service, or the FBI's Special Agent program. 
Such an effort would create an entire culture and ethos of cyber opera- 
tors, who could be detailed to different departments based on need. 
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SUMMARY OF RECOMMENDATIONS 

■ The United States should aim to raise graduation rates in the fields 
of science, technology, engineering, and mathematics to expand the 
pipeline of people in cybersecurity. 

■ The government should develop a cyber service for use by multiple 
branches of the U.S. government. This would be a new professional 
career service comparable to the Foreign Service, National Clandes- 
tine Service, or the FBI. 

PASS CYBERSECURITY LEGISLATION 

The public and private sector agree that defending critical infrastruc- 
ture from cyberattacks will require robust information sharing and col- 
laboration between government agencies and industry. Despite general 
bipartisan agreement on the serious nature of the cyber threat and the 
need for better information sharing, it is unclear whether the 113th C on- 
gress will be able to overcome politics and process to produce and pass a 
legislative package. The process of cyber legislation will be a test case of 
the 113th Congress's ability to manage the committee process through 
regular order. The Task Force urges Congress to create and pass legislation 
that balances the need to meet the cyber threat with the protection of indi- 
vidual rights and private-sector liability. 

Public-private collaboration to combat cybersecurity threats has 
been enshrined as a policy priority at least since the Presidential Deci- 
sion Directive 63, which former president Bill Clinton signed in 1998. 70 
In response to PDD 63, the financial, electric, information technology, 
public transportation, nuclear, and other critical infrastructure sectors 
created Information Sharing and Analysis Centers (ISACs) to help dis- 
seminate threat information and provide incident response and risk 
mitigation. The National Infrastructure Protection Plan (NIPP), which 
was updated in 2009 , calls for greater information sharing about cyber- 
security threats. 

Bank officials have said they sought support from the U.S. govern- 
ment during the large DDoS attacks in the fall of 2012 and spring of 
2013. The NSA reportedly offered assistance in analyzing the attacks 
and evaluating remediation efforts, but bank officials have also criti- 
cized the quality and timeliness of shared information in the early 
stages of the attacks, as well as the larger difficulties of interfacing with 
the government. 
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Several legislative efforts have tried to give additional authorities to 
support information sharing, including the Cyber Intelligence Shar- 
ing and Protection Act (CISPA) in the House and the Cybersecurity 
Act of 2012 and the Strengthening and Enhancing Cybersecurity by 
Using Research, Education, Information, and Technology Act of 2012 
(SECURE IT) in the Senate. CISPA passed in the House in 2012, but 
the Cybersecurity Act of 2012 did not receive enough votes to move 
to consideration in the Senate. Opposition revolved primarily around 
the nature of cyber standards for critical infrastructure companies, the 
protection of individual users' information, liability provisions for the 
private sector, and the role of the intelligence and defense communities 
in providing information to the private sector. CISPA was reintroduced 
in the 113th Congress and passed in the House in April 2013; President 
Obama has threatened to veto the bill if it is brought to and passes in 
the Senate. The Senate leadership has signaled the intention to bring 
additional cybersecurity legislation to the floor again, but the prospects 
for passage are uncertain. 

The Task Force believes that President Obama's February 2013 execu- 
tive order on cybersecurity was a positive move to improve the protec- 
tion of critical infrastructure. 71 The order directs the Department of 
Homeland Security, Department of Justice, and Director of National 
Intelligence to share more information with privately owned critical 
national infrastructure such as the defense sector, utility networks, and 
the banking industry. The order also expands the Enhanced Cyberse- 
curity Services (formerly known as the Defense Industrial Base pilot), 
a program that shares cybersecurity threat information with defense 
contractors and others with security clearances, to critical infrastructure 
companies. In an effort to raise security standards in the private sector 
through voluntary participation, the order calls for the establishment of 
a "cybersecurity framework." The framework is a voluntary set of cyber- 
security best practices, developed by the National Institute of Standards 
and Technology (NIST) in conjunction with the private sector. DHS will 
work with the Department of Energy and other agencies, as well as indus- 
try councils, to implement the best practices laid out in the framework 
and identify incentives for companies to join the voluntary program. 

Once NIST, with industry support, develops cybersecurity stan- 
dards, it will be important for the White House to advocate for these 
standards in international bodies. The European Union is currently 
developing new standards on critical infrastructure, breach report- 
ing, liability, and preparedness. Differing regulations will create 
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difficulties for companies that have operations in both jurisdictions, 
and could pose problems as the two sides attempt to broker a free 
trade agreement. 

The executive order, however, is limited in impact. It merely directs 
the government to do things that it was already authorized to do; the 
order does not address multidirectional information sharing and cannot 
grant companies liability protection if they are hit with a cyberattack 
because achieving these objectives would require legislation. Congres- 
sional efforts to improve information sharing are needed. Such efforts 
face obstacles related to committee jurisdictions, pressures from inter- 
est groups, and political considerations. 

RECOMMENDATIONS 

The Task Force calls on the U.S. Congress to create and pass legislation to 
meet the cyber threat soon. The legislation should have: 

■ a narrow focus on cybersecurity and cyber threats; 

■ mechanisms for the real-time sharing of information (including clas- 
sified intelligence) between government and the private sector and 
among private-sector actors; 

■ a legal framework for the sharing of information; 

■ requirements to protect the identity of individual users and the pro- 
tection of privacy in threat information shared with the government; 

■ protocols for sharing the information within the government; 

■ limited liability provisions for companies voluntarily involved in the 
information-sharing program; and 

■ a review process to prevent misuse of data by the U.S. government. 

STRENGTHEN THE COORDINATING AUTHORITY 
OF THE NCCIC 

Parallel to the legislative effort, the U.S. government should take organi- 
zational steps to improve information sharing and public-private coop- 
eration. The Department of Homeland Security should bolster its 
capabilities in early warning cyber exercises and collaboration, as well 
as develop better mechanisms to draw upon the technical capabilities 
of other agencies. 72 The National Cybersecurity and Communications 
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Integration Center (NCCIC) should partake in joint threat and capabil- 
ities assessment with the private sector, and threat information should 
be shared earlier. 

During the cyberattacks on banks, the U.S. government response 
was led by DHS's NCCIC, which is responsible for producing a 
common operating picture for cybersecurity across the federal govern- 
ment. Partners include the DOD, DOJ, FBI, and NSA, and its opera- 
tional elements include the U.S. Computer Emergency Readiness 
Team (U.S. -CERT), Industrial Control Systems Cyber Emergency 
Response Team (ICS-CERT), and the National Coordinating Center 
for Telecommunications and Cyber Exercises. NCCIC also provides 
access for cleared individuals from the private sector to meet with a host 
of federal agencies. DHS organizes the Cyber Storm exercises. These 
drills, which include foreign governments, private-sector business, and 
individuals, are designed to improve interagency coordination, infor- 
mation sharing, and the collection and dissemination of response and 
recovery information. 73 

Many in the private sector and Congress are skeptical of DHS's 
emerging role as the primary civilian lead on several aspects of U.S. 
government cybersecurity. Some have questioned whether DHS has 
the administrative and technical capabilities to fulfill such a role. Crit- 
ics question whether DHS has the strength to bring together all the 
agencies needed to coordinate information sharing and reach out to the 
private sector. Although NCCIC has recently gone through an inter- 
nal reorganization, leadership turnover continues to be high, pointing 
to continued institutional turmoil. DHS and NCCIC will have to take 
steps to reassure the public and private sectors that they are capable of 
taking the lead on many cyber issues. 

SUMMARY OF RECOMMENDATIONS 

■ The Department of Homeland Security (DHS) should bolster its 
capabilities in early warning cyber exercises and collaboration and 
develop better mechanisms to draw upon the technical capabilities 
of other agencies. 

■ The National Cybersecurity and Communications Integration 
Center (NCCIC) should partake in joint threat and capabilities 
assessment with the private sector, and threat information should be 
shared earlier. 
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INCREASE CYBER POLICYMAKERS' AUTHORITY 

Coordination problems continue to bedevil the interagency process. 
Organizational change is important for supporting all three pillars 
of digital policy: alliances, trade, and governance. Within the State 
Department, Internet issues are divided among the Office of the Cyber 
Coordinator, Bureau of Economic and Business Affairs, and Bureau 
of Democracy, Human Rights, and Labor. Across the entire U.S. gov- 
ernment at least fourteen government bureaus, divisions, and depart- 
ments collaborate with international agencies and organizations on 
cyberspace issues. This not only leads to coordination and messaging 
problems but makes it difficult for those outside of the United States 
without great knowledge of the workings of cyber policy to know with 
whom to interact. 

At present, without clear legal authority, the NCCIC must make mul- 
tiple requests from other agencies for information that could help defend 
the private sector. Its authority should be increased and clarified. The 
position of director of the NCCIC should be elevated to an undersecretary or 
even a deputy secretary rank, Senate-confirmedposition — as is the director of 
the National Counterterrorism Center. This would not fully resolve issues 
of interagency coordination, but it would give the holder of the position 
increased authority to coordinate and make requests of other agencies. 

Over the next two years, the State Department should review the Office 
of the Cyber Coordinator and consider replacing the post with an assistant 
secretary in charge of a cyber bureau. If the position remains, the Office 
of the Coordinator for Cyber Issues should lead the U.S. international 
position on the Internet across organizations where Internet gover- 
nance discussions are conducted. 

In addition, following the model of the German foreign ministry and 
UK Foreign and Commonwealth Office, the State Department should 
post cyber attaches — Foreign Service officers specializing in cyber issues — 
in important capitals such as London, Beijing, Brussels, Brasilia, Ankara, 
Nairobi, and Delhi. 

In the White House, the special assistant to the president and cyber- 
security coordinator is currently on the national security staff. Over the 
next two years, the White House should review whether the cybersecurity 
coordinator should also be part of the National Economic Council and the 
Office of Science and Technology Policy. The wearing of three hats may 
give the coordinator the necessary authority and influence to shape a 
more cohesive strategy. 
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■ The position of director of the NCCIC should be elevated to an 
undersecretary or even a deputy secretary rank, Senate-confirmed 
position — like the director of the National Counter terrorism Center. 

■ The State Department should review the Office of the Cyber Coor- 
dinator and consider replacing the post with an assistant secretary in 
charge of a cyber bureau. 

■ The State Department should post cyber attaches — Foreign Ser- 
vice officers specializing in cyber issues — at important diplomatic 
outposts. 

■ The White House should review whether the cybersecurity coordi- 
nator, currently on the national security staff, should also be part of 
the National Economic Council and the Office of Science and Tech- 
nology Policy. 

TRADE, INNOVATION, AND GROWTH 

The Task Force believes all future trade agreements should contain a goal of 
fostering the free flow of information and data across national borders while 
protecting intellectual property and developing an interoperable global 
regulatory framework for respecting the privacy rights of individuals. 

The General Agreement on Trade in Services of the World Trade 
Organization came into force in 1995 and expanded trade rules from 
goods to services, including financial, telecommunications, and cloud 
and other Internet-based services. The formalization of these Inter- 
net principles in new trade agreements would be an important step. 

The U.S. -Korea Free Trade Agreement calls on the two countries to 
"refrain from imposing or maintaining unnecessary barriers to elec- 
tronic information flows across borders." The Trans-Pacific Partner- 
ship (TPP), the upcoming U.S. -European trade negotiations, and future 
bilateral agreements should all guarantee the free flow of information 
across borders and proper steps to protect copyright holders and inter- 
mediaries, and that servers need not be located in countries where com- 
panies provide services and products. 

Because most of the discussion on the TPP occurs behind closed 
doors, it is difficult to gauge progress on it. Vietnam, one of the poten- 
tial signatories, is perhaps a more extreme example of the potential 
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complications of getting states with different political systems and 
levels of development to refrain from imposing barriers on the free flow 
of information as part of a trade agreement. In January 2012, the Viet- 
namese government convicted and sentenced five activists for blogging 
in support of freedom of expression. 

RECOMMENDATIONS 

Several previous governmental and private efforts have done important 
work in developing the basic principles of digital trade and informa- 
tion flows. 74 Drawing onthese previous reports andpolicy papers, theTask 
Force recommends the following: 

• Governments should not require that facilities, servers, or informa- 
tion be located in specific countries or regions. 

■ Regulators should not discriminate between domestic and foreign 
producers. 

■ Governments should provide appropriate limitations of liabilities for 
Internet intermediaries. 

■ Trade policy should support a trusted environment where per- 
sonal data, intellectual property, privacy, and cybersecurity are all 
protected. 

■ Bilateral and multilateral trade agreements should guarantee the free 
flow of information and data across national borders. 

■ Regulations affecting data transfer should be transparent, provided 
for by law, and consistent with the maximal protection of privacy, 
user security, and free expression. 

■ Governments should promote investment in expansion of Internet 
networks and high-speed broadband. 

■ Governments should maximize the availability and use of the spec- 
trum in a transparent and nondiscriminatory manner. 

■ Public policy should be technology neutral and foster a diversity of 
platforms. 

To build on these recommendations and further promote U.S. digital 
trade, the Task Force also recommends the following: 
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■ The Trans-Pacific Partnership, the upcoming U.S. -European trade 
negotiations, and future bilateral agreements should guarantee the 
free flow of information across borders. 

■ The United States, along with its trading partners, should create a 
digital due process so that requests for content removal and user data 
are consistent with international practices. 

■ The United States and others should make transfer of data between 
governments more transparent and efficient by improving the Mutual 
Legal Assistance Treaty system. 

■ With its Japanese and European counterparts, the USTR should 
coordinate pressure on India and Brazil on procurement regulations, 
location requirements, and other nontariff barriers to trade. 

■ The United States should protect intellectual property, while pre- 
serving the rights of users to access lawful content. 

■ The United States should help create an environment in which the 
Internet economy flourishes. 

CREATE A DIGITAL DUE PROCESS 

International trade agreements are important, as they will help define 
norms and set standards that can be extended to other parts of the 
world. While the Trans-Pacific Partnership proceeds, signs of activ- 
ity now surround the Transatlantic Trade and Investment Partner- 
ship (TTIP) after almost fifteen years of unproductive discussions. A 
high-level working group has given the go-ahead for the two sides to 
begin negotiations, and the United States and EU are expected to look 
for opportunities to reduce, eliminate, or prevent barriers to trade in 
services and enhance the compatibility of regulations and standards. 
TTIP is expected to include provisions that facilitate the movement 
of cross-border data flows. The Task Force welcomes movement on the 
TTIP, but cautions that a number of important transatlantic differences 
need to be resolved. 

There are significant challenges in the transatlantic relationship 
outside of the scope of the TTIP. The EU is currently revising the 1995 
Data Protection Directive, which regulates the processing of personal 
data within the European Union, and many of the proposed changes 
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appear prohibitively expensive and prescriptive. The European Com- 
mission has estimated that the revisions could save businesses through- 
out Europe 2.3 billion euros by harmonizing and simplifying standards. 
However, the UK Ministry of Justice has countered with an estimate 
that the cost to the United Kingdom alone would be between 100 mil- 
lion and 360 million pounds a year. 75 The UK government has also 
opposed the one-size-fits-all approach found in the directive, noting 
that all data collectors — from small businesses to multinationals — will 
have to follow the regulations for completing data protection, impact 
assessments, and the hiring of data protection officers. 

Some of the proposed revisions appear unworkable. The European 
Parliament is considering proposals that would create data portabil- 
ity — individual users would be able to transfer personal posts, photos, 
and videos from one online service site to another "without hin- 
drance" — and the "right to be forgotten." Users would also be able to 
obtain details about what data companies hold on them. Those firms 
that fail to follow the data portability regulation could face penalties 
of up to 2 percent of global revenue. U.S. critics have argued that the 
provision is overly broad, corrosive to innovation, and could disrupt 
businesses' access to data. Though data portability might increase 
security by allowing users to switch to more secure providers instead 
of staying locked into less secure servers, by concentrating a lifetime 
of a user's data in one place, it could also increase vulnerability. With a 
"right to be forgotten," users can demand that publicly available infor- 
mation or replications on websites and search engines be deleted. 
Failing to delete the information could lead to fines of up to 1 percent 
of a company's revenue. The European Network and Information 
Security Agency, however, found that "a purely technical and compre- 
hensive solution to enforce the right in the open Internet is generally 
impossible." 76 

European policymakers have raised concerns about the U.S. govern- 
ment accessing the data of European citizens stored on the servers of 
American companies through powers granted by the Patriot Act and the 
Foreign Intelligence Surveillance Amendments Act. These processes are 
not exclusive to the United States; several countries, including a number 
of member countries of the EU, have wide-ranging provisions that allow 
access to cloud-stored data outside their respective jurisdictions. 

As a result, policymakers and business leaders need to foster a digi- 
tal due process so that requests for content removal and user data are 
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consistent with international practices. Countries should develop a 
robust approach to digital due process that facilitates proper legal 
process for resolving domestic and foreign requests for information. 
This is an area where the United States can exert a great deal of influ- 
ence as a positive model and where American technology companies 
are taking the lead. Google, Twitter, Linkedln, Microsoft, and other 
companies now issue transparency reports that detail the number of 
requests they receive from government law enforcement for data on 
users around the world. 

SUMMARY OF RECOMMENDATIONS 

• Policymakers and business leaders from social media, data process- 
ing, cloud computing, and other data-intensive industries need to 
foster a digital due process so that requests for content removal and 
user data are consistent with international practices. 

■ The United States and EU should develop a robust approach to digi- 
tal due process that facilitates proper legal processes for resolving 
domestic and foreign requests for information. 

IMPROVE THE EFFICIENCY OF THE MLATS 

Government authorities need to work across borders to fight crime 
and prevent terrorist attacks, but many lawful intercept regulations — 
demands for communications network data for the purpose of analysis 
or evidence — are inconsistent and often burdensome to business and 
overly broad, threatening user privacy. 

The transfer of data between governments can be made more trans- 
parent and efficient through improving the Mutual Legal Assistance 
Treaty (MLAT) system, through which nations agree to share informa- 
tion and evidence during criminal proceedings. 

RECOMMENDATIONS 

■ MLATs should explicitly define the modes of communication they 
cover, require governments and companies to provide explicit pro- 
tections of individual rights and personal data, and include explicit 
timetables for cooperation and response by governments. 
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■ When the laws of more than one state apply to data, the higher of 
the standards should be applied, and MLATs should require gov- 
ernments to regularly disclose when and why personal data is 
requested. 

PRESSURE CHINA, INDIA, AND BRAZIL 

U.S.-EU efforts to reach agreements on how data is collected, managed, 
and shared, as well as other trade and investment regulations, are impor- 
tant because they help set a template for rising economies such as China, 
India, and Brazil. The United States and its partners should maintain steady 
pressure on these three countries to uphold international standards. 

Beijing's efforts to restrict the flow of information and to encourage 
"indigenous innovation" through government procurement, technol- 
ogy transfer, and location requirements have attracted the lion's share 
of negative attention. But India has also requested access to propri- 
etary source code, pursued initiatives that will allow broad compulsory 
licensing of critical technologies, and recently proposed regulations 
that would force technology companies to manufacture locally if they 
want to sell to the government. The motivation for these demands is 
often opaque; policies can be driven by real security concerns, the desire 
to promote competing technology standards and strengthen domestic 
firms, or some combination thereof. 

The United States has had some limited success with China through 
the Joint Commission on Commerce and Trade and at high-level sum- 
mits such as the Strategic and Economic Dialogue; Beijing has promised 
not to discriminate against foreign technology or mandate domestic 
encryption and wireless authentication technologies, and to strengthen 
intellectual property rights provisions. 

RECOMMENDATIONS 

■ The United States, in coordination with Japan and the EU, should 
maintain pressure on China and should exert similar pressure on 
India and Brazil. 

■ If the pressure is ineffective and these countries continue to discrimi- 
nate against foreign goods and services, the United States should 
consider, depending on the political and economic context, a range 
of possible responses, including, but not limited to, threatening to 
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withdraw or limit unilateral benefits granted to India and Brazil and 
suspending or withdrawing duty-free treatment of Indian and Brazil- 
ian goods subject to the Generalized System of Preferences (GSP) to 
ensure those countries "provide equitable and reasonable access to 
[their] markets," one of the GSP's fundamental criteria. 

■ The United States should refine the content of and globalize Asia- 
Pacific Economic Cooperation innovation policy principles, entitled 
Promoting Effective, Non-Discriminatory, and Market-Driven Inno- 
vation Policy, so that they apply outside of the APEC region. 

PROTECT INTELLECTUAL PROPERTY WHILE PRESERVING 
THE RIGHTS OF USERS 

Protecting intellectual property is a cornerstone of U.S. innovation and 
competitiveness. The United States should continue to work to remove and 
limit the availability of pirated content and counterfeit products online. 

Blocking or censoring sites and files has some short-lived effects, but 
does not appear to decrease the long-term availability of pirated content 
on the Internet. Pirates often respond to the takedown of file sharing 
sites by spreading the stolen content over hundreds of services. "Warn- 
ing models," such as notice and takedown, or "graduated responses" — 
users are warned that illegal material has been downloaded to their 
account and the Internet service provider may slow down Internet 
speeds, or cut users off entirely, after a certain number of violations — 
have worked in some countries but not in others. 

The real culprits are dishonest advertising services and malware 
distributors that use pirated content to attract users. Cutting off the 
advertisement flow and shutting down the malware companies would 
address the majority of this problem. In addition, some of the technical 
and political means used in blocking websites threaten innovation and 
the free flow of information. 

RECOMMENDATIONS 

• The United States should work with advertising agencies and trade 
groups to cut off the flow of advertising and payments to sites hosting 
illegal materials. 

■ The mechanisms for requesting sanctions should be public and 
transparent. 
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■ The Department of Commerce and the USTR should continue to 
pressure other nations to curtail the activities of pirate hosting sites 
and consider trade sanctions when they do not. 

HELP THE INTERNET ECONOMY FLOURISH 

The United States should continue to work with its trading partners 
from a position of strength at home. More broadly, policymakers need 
to help create an environment in which the Internet economy flourishes. 

Given the rapidly changing nature of information technology and the 
complexity of networked industries, policymakers should strive for a rela- 
tively hands-off regulatory approach. Regulation should be reserved for 
those situations where it is necessary to intervene to ensure fair, trans- 
parent, and nondiscriminatory market behavior. Furthermore, regu- 
lations should also be technology neutral and promote competition 
so as to preserve cyberspace's openness to new devices, applications, 
and services. 

The United States should develop a strong workforce able to pursue new 
market opportunities and create the next wave of innovation. Despite a large 
pool of unemployed workers, employers currently struggle to find skilled 
talent to fill job openings. In a 2012 survey conducted by the American 
Society for Training & Development, 84 percent of respondents reported 
a skills gap in their organizations. 77 Employers in the STEM fields are 
suffering in particular. Jobs related to cloud computing, for example, are 
expected to grow annually by 26 percent through 2015. Some 1.7 million 
cloud-related jobs, however, were not filled in 2012 because job seekers 
did not have the proper training and qualifications . 78 As previously noted, 
the United States will need to raise graduation rates in STEM fields. 

The Obama administration and U.S. Congress should also address 
the needs of today's workforce by simplifying the processes for access- 
ing public-sector training dollars, improving the performance of com- 
munity colleges, and making community colleges more responsive to 
local workforce requirements. 

Furthermore, the United States should pass meaningful immigration 
reform to attract and retain highly skilled talent. The influx of new people 
has been critical to maintaining the competitiveness and creativity of 
the American economy. According to a 2007 study by Duke University 
and the University of California, Berkeley, one-fourth of the technology 
companies started in the United States from 1995 to 2005 had at least 
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one foreign-born founder; a 2012 Kauffman Foundation report found 
that almost one-third of firms in the semiconductor sector, 28 percent 
in computer fields, and 25 percent in innovation and manufacturing- 
related services had one immigrant founder. 79 Openness is essential, 
and the United States needs to remain the place where the most talented 
and skilled still yearn to come. 

SUMMARY OF RECOMMENDATIONS 

• Policymakers should strive for a relatively hands-off regulatory 
approach. Regulation should be reserved for those situations where 
it is necessary to intervene to ensure fair, transparent, and nondis- 
criminatory market behavior. 

■ Regulations should be technology neutral, promote competition 
among different providers, and preserve cyberspace's openness to 
new devices, applications, and services. 

■ The United States needs to develop a strong workforce able to 
pursue new market opportunities and create the next wave of inno- 
vation. In particular, the United States needs to raise graduation 
rates in STEM fields. 

■ The United States should simplify the process for accessing public 
sector training dollars and improve the performance of community col- 
leges to make them more responsive to local workforce requirements. 

■ The United States should pass comprehensive immigration reform 
to attract and retain highly skilled talent. 

INTERNET GOVERNANCE AND THE FREE FLOW 
OF INFORMATION AND KNOWLEDGE 

The free and open Internet of today developed under an informal, 
decentralized process that involved all parties with a stake in its gov- 
ernance. The United States played a dominant role in shaping it. But 
now, as the Internet reaches adulthood, change is happening. The United 
States has a choice: pursue an ultimately fruitless course to maintain its per- 
ceived dominance to date, or adjust to changing realities and the emergence 
of new Internet powers in the developing world. The Task Force urges the 
U.S. government to face the new reality. 
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As noted earlier, the United States and other countries stood on their 
principles to exclude the Internet from a telecommunications treaty at 
the December 2012 meeting of the World Conference on International 
Telecommunications in Dubai. 

The United States has legitimate concerns about certain outcomes in 
the ITU; it wants interconnectivity issues, such as packet switching, to 
stay in the hands of technical and private actors, rather than placed under 
the control of governments. But the United States needs to address the legiti- 
mate access, infrastructure, and security concerns of developing countries. 
Leadership is required, and Washington cannot continue to beat back 
efforts for reform without an alternative. Developing countries need to 
recognize the benefits of the bottom-up, nongovernmental approach. 

RECOMMENDATIONS 

The Task Force believes the United States should articulate and advocate a 
vision of Internet governance that includes emerging Internet powers and 
expands and strengthens the multi-stakeholder process. 

As part of the effort to help ensure cyberspace remains an open and 
global platform for sharing information and knowledge, the Task Force 
recommends the following: 

■ The United States should work with the ITU more consistently and 
persistently. 

■ The Commerce and State Departments should provide greater sup- 
port to the Government Advisory Committee of ICANN and the 
Internet Governance Forum. 

■ The United States should explore alternative venues for discussing 
the challenges of Internet governance and cyber security. 

■ The United States should invest in education, training, and equip- 
ment upgrades in potential partners in the developing world, with the 
Departments of Justice and State setting aside budget allocations for 
this purpose. 

■ Partnering with other governments and NGOs like the Global Net- 
work Initiative, Washington should help demonstrate concrete social, 
political, and economic payoffs from an open Internet. 

■ Working with civil society groups, the United States should 
develop guidelines on the exports of surveillance and other dual-use 
technologies. 
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PROMOTING AN INCLUSIVE AGENDA 

The United States needs to promote an inclusive agenda with three 
parts: 

First, the United States should work with the ITU more consistently and 
persistently. One of the lessons of the WCIT is that the United States 
needs to engage early and often. Ambassador Terry Kramer was 
appointed head of the U.S. delegation to WCIT only in August 2012. 
Six months is not adequate preparation time for mobilizing govern- 
ment and private-sector resources, especially when China was orga- 
nizing for close to three years. The United States needs a tenacious 
international presence led by the White House to combat the ITU's 
incrementalism and it should appoint delegations for international 
forums early on. The United States should also work with like-minded 
nations to identify and build international support for a candidate for 
the ITU secretary-general position who is committed to the multi- 
stakeholder process. 

Second, the State and Commerce Departments should make the multi- 
stakeholder model more inclusive and robust. The Government Advisory 
Committee of ICANN, which provides advice on public policy issues 
and the governance of ICANN as a whole, should receive the support 
it needs to become more efficient and transparent so that it can be seen 
as an effective place for governments to advise and shape policy and 
be accountable to the public at large. The Internet Governance Forum 
(IGF), an open forum established by the World Summit on the Informa- 
tion Society in 2006 and convened by the UN secretary-general, should 
be given more attention and sufficient financial support. 80 The annual 
one-week meetings are not enough, and the system of regional IGFs 
should be strengthened with financial support to the IGF Secretariat 
and for developing world participants to attend. 

Third, the United States should explore alternative venues for discussing 
the challenges of Internet governance and cyber security. Working with 193 
countries at the beginning, however, is too unwieldy. Instead, the agenda 
should be crafted through smaller ad hoc groups or regional groupings. 
The Major Economies Forum on Energy and Climate, for example, 
includes dialogue among developed and developing economies as well 
as concrete initiatives and joint ventures to increase the supply of clean 
energy, and the Global Counterterrorism Forum includes twenty-nine 
countries plus the EU to share expertise and identify needs. Member- 
ship of ad hoc cyber groups would change depending on topic and 
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expertise and would address discrete problems. The United States 
should work with some critical countries, including but not limited to 
China, Brazil, India, Russia, Turkey, Tunisia, Kenya, the United King- 
dom, Estonia, Sweden, Hungary, and South Korea. 

A useful forum is the Open Government Partnership, cofounded by 
the United States and Brazil. 81 More than forty-five signatories from 
the developed and developing world have committed themselves to 
greater transparency, civic participation, and accountability. This is an 
ideal group to develop complementary principles for cyberspace, and a 
working group — not chaired by the United States — should start defin- 
ing how they would apply to Internet governance. 

More narrowly, the Departments of State and Commerce should 
encourage a forum at which developing countries and users can address 
cybersecurity and other technical concerns without having to turn to 
the ITU. The National Telecommunications and Information Admin- 
istration, for example, held a meeting in March 2013 in London to 
follow up on the issue of spam and unsolicited email. These discussions 
should be coordinated with and feed back into the cybersecurity work 
of ICANN and IGF. 

It is not enough just to build alternative processes and institutions; 
the United States also needs to give developing countries the capacity to 
effectively use international processes and institutions. The United States 
should invest in education, training, and equipment upgrades in poten- 
tial partners in the developing world, with the Departments of Justice 
and State needing to set aside budget allocations for this purpose. The 
Department of Justice has conducted international training, and over 
the last three years, the Office of the Coordinator for Cyber Issues in 
the Department of State partnered with Kenya, Senegal, and Ghana 
to cohost cybersecurity and cyber crime workshops. Meeting the scale 
of demand and reaching beyond Africa, however, will take an expan- 
sion of resources and full-time staff in the Office of the Coordinator 
for Cyber Issues. 

Private industry should also be encouraged to invest in cybersecurity in 
the emerging economies. For instance, the Korea Information Security 
Agency is working with Korea Telecom to help build Rwanda's Com- 
puter Emergency Response Team. In March 2013, the U.S. Agency for 
International Development announced a project with Cisco to set up 
two networking academies to provide ICT skills training in Burma. 
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■ The United States should explore alternative venues for discussing 
the challenges of Internet governance and cyber security. 

■ The Departments of State and Commerce should encourage a forum 
at which developing countries and users can address cybersecurity 
and other technical concerns without having to turn to the ITU. 

■ The United States needs to give developing countries the capacity to 
use international processes and institutions effectively. 

■ Private industry should be encouraged to invest in cybersecurity in 
the emerging economies. 

DEMONSTRATE THE BENEFITS OF AN OPEN INTERNET 

The United States has been clear about the political context of Internet 
freedom. Numerous U.S. officials have rightfully stressed that human 
rights and freedoms apply in cyberspace. In July 2012, the United 
States cosponsored a Swedish-led resolution in the UN Human Rights 
Council to protect the free speech of individuals online. 82 The resolu- 
tion, which was approved by all forty-seven members of the council, 
including China and Cuba, recognizes "the global and open nature of 
the Internet as a driving force in accelerating progress towards devel- 
opment in its various forms." The new approach to Internet governance 
needs to include a comprehensive vision of the benefits of the free flow of 
information and knowledge. 

The State Department's spending on Internet freedom initiatives 
from 2008 to 2012 totaled approximately $100 million and includes 
funding for the development of anticensorship and secure communica- 
tions technology, as well as digital safety training for activists and emer- 
gency response support for civil society organizations under threat. 

Washington can also help demonstrate other concrete social and 
political payoffs from an open Internet. The United Nations, or a 
regional security organization such as the OSCE or the ASEAN 
Regional Forum, should develop secure arenas for the uploading of 
verifiable videos during civil or international conflict. This is part of a 
more positive vision of how keeping the Internet open can help advance 
accountability and justice. 
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The most powerful argument for Internet openness is economic. 
U.S. officials have consistently noted that filtering and blocking con- 
tent can have deleterious effects on investment and innovation as well 
as on freedom and self-expression. As former secretary of state Hillary 
Clinton said in reference to China and others, "In the short term, even 
perhaps in the medium term, those governments may succeed in main- 
taining a segmented Internet. But those restrictions will have long-term 
costs that threaten one day to become a noose that restrains growth and 
development." 83 Yet numerous governments continue to believe that 
they can reap economic benefits while maintaining tight control, and 
they may look to the Chinese example to bolster their argument. As 
noted earlier, though a growing body of data link economic growth in 
developed economies to the Internet, the research is lacking for devel- 
oping economies. The United States should press the OECD and other 
international agencies to broaden and deepen actionable research. 

These arguments will empower civil groups and private actors 
within other countries to push for a more open Internet. Such argu- 
ments may be more effective if they are segregated from specific Ameri- 
can foreign policy goals. That is, although the free flow of information 
should remain high on the official U.S. diplomatic agenda, it is better if 
the notion is pushed by local companies and nongovernmental organi- 
zations so as not to allow authoritarian regimes to paint the free flow 
of information as an American idea or as another example of outside 
interference in sovereign matters. 

An organization like the Global Network Initiative (GNI) is an 
important partner in the effort. GNI is a collection of companies, 
investors, NGOs, and academics advocating for users' rights to free- 
dom of expression and privacy. 84 Currently, eleven companies have 
signed on with the GNI, and two are observers. Although GNI has 
recently entered into a two-year collaboration with eight Europe- 
based telecommunications companies, its efforts would be strength- 
ened by greater participation of foreign information technology 
firms, especially from the developing world. 

SUMMARY OF RECOMMENDATIONS 

■ The United States needs to actively "sell" all the benefits of the free 
flow of information and knowledge, including economic and social 
advantages. 
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■ Washington should promote the right to access through the Open 
Government Partnership. A working group, not chaired by the 
United States, should define how to apply the Open Government 
Partnership's principles of transparency, participation, and account- 
ability to Internet access. 

■ The United Nations, or a regional security organization such as 
the OSCE or the ASEAN Regional Forum, should develop secure 
arenas for the uploading of verifiable videos during civil or interna- 
tional conflict. 

■ The United States should continue to make the case that filtering or 
blocking content will have negative effects on investment and innova- 
tion. The United States should encourage the OECD and other inter- 
national agencies to conduct research that links economic growth in 
developing economies to the Internet. 

■ The United States should continue to press for the free flow of infor- 
mation online, but in many instances it should step back and let local 
companies and nongovernmental organizations lead the public 
argument. 

DEVELOP GUIDELINES ON THE EXPORTS 
OF DUAL-USE TECHNOLOGIES 

The difficulty with Internet technologies is that they are inherently 
dual use. Governments and private actors can use them for legiti- 
mate purposes, including network and computer security investiga- 
tions, research, and protection. When used legitimately and legally for 
national security and law enforcement, they can enhance the security 
and safety of the individual user. On the other hand, authoritarian 
states are relying on these technologies to track opposition and facili- 
tate human rights abuses. The United States and its partners need to care- 
fully address the dangers of exporting dual-use technologies while not overly 
regulating exports. Partnerships with civil society, NGOs, and the private 
sector are the best route to effective guidelines. 

Invasive technologies with the capability to track the movement of 
their citizens, read emails and mobile texts , listen in on phone calls, and 
scan online photos are in increasing demand by governments. Soft- 
ware developed by the UK-based Gamma Group was used to moni- 
tor human rights activists in Bahrain and Egypt. Narus, a subsidiary 
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of Boeing, sold surveillance equipment to Egypt, and Internet surveil- 
lance and censorship technology from California-based Blue Coat 
Systems was found being used in Syria and China. 83 

Governments in Europe are already moving to control the exports 
of such equipment. In March 2012, the Council of Europe banned EU 
companies from selling monitoring equipment to Iran. In September, 
the British government imposed export controls on Gamma Group's 
FinSpy surveillance tool, and the government is reportedly consider- 
ing international and/or EU-level agreements on the export of surveil- 
lance equipment. Sometime in 2013, the European Commission will 
introduce rules to improve the monitoring of EU exports of technol- 
ogy that can be used to censor or block websites and monitor mobile 
communications. The European Commission will regularly update a 
list of restricted products and countries. 

The Task Force warns that the legislative approach is heavy-handed 
and inflexible and could generate unintended outcomes. Technol- 
ogy sanctions on Iran and Syria, for example, have made it difficult 
for dissident groups to access technologies that can evade electronic 
surveillance and censorship. In addition, the intense globalization of 
sophisticated development, production, and distribution of informa- 
tion and communication technology products renders many controls 
ineffective and can pose significant competitive disadvantages where 
one country imposes controls and another does not. For example, until 
the mid-1990s, encryption products and technologies were subject to 
unilateral U.S. munitions export controls, creating a major disincen- 
tive to develop products with security features employing U.S. technol- 
ogy. This put the United States at a huge competitive disadvantage with 
other countries at a time when strong encryption capabilities and prod- 
ucts were already widely available internationally. Transferring encryp- 
tion export controls from the U.S. Munitions List to the Commerce 
Control List in 1996 broke this cycle, and U.S. companies were able to 
become highly innovative and globally competitive in the development 
of commercial products with encryption features. 

Unreasonable or excessive controls, whether applied to encryption 
or other technologies, entail much industry effort and restraint with- 
out resulting in purposeful or effective control. This fact is highly rel- 
evant to commercial ICT products and technology, where the utility of 
controls is undermined by commoditization, high volume distribution, 
global and decentralized development and production capabilities, 
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ubiquitous networks and computing capability, and the offsetting ben- 
efits of globalizing the ICT revolution. 

In addressing national security, foreign policy, or other government 
concerns, policymakers should avoid imposing export or other trade 
controls on generally available ICT products and technologies, except 
under narrow and justifiable circumstances. Rather, government poli- 
cies should accommodate and encourage more effective and creative 
ways to address overall national security and other policy challenges, 
opportunities, and options. 

A good example is the aforementioned Global Network Initia- 
tive, which requires companies to conduct human rights assessments 
before introducing products into new markets. Public attention to 
sales of these technologies from the media, as well as congressional 
hearings and testimony, may convince others of the utility of adopting 
similar policies. 

SUMMARY OF RECOMMENDATIONS 

• The United States should avoid a heavy-handed and inflexible legisla- 
tive approach to export controls. Unreasonable or excessive controls 
entail much industry effort and restraint without resulting in pur- 
poseful or effective control. 

■ Policymakers should avoid imposing export or other trade controls 
on generally available ICT products and technologies, except under 
narrow and justifiable circumstances. 

■ Government policies should accommodate and encourage more 
effective and creative ways to address overall national security and 
other policy challenges, opportunities, and options, such as the 
Global Network Initiative. 



Conclusion: An Open, Global, Secure, 
and Resilient Internet 
Is in Everyone's Interest 



The Internet is now an essential tool for governments, companies, and 
individuals . No one can be certain of the future economic, social, politi- 
cal, and cultural opportunities that will emerge; the technology is still 
evolving, and billions of people have yet to go online and communicate, 
create, and build. What is certain is that cyberspace's importance will 
only increase. The United States is well positioned to reap the benefits, 
known and unknown, of the expansion and deepening of this world- 
wide platform for sharing information and data. 

Yet the next two billion users will come from the developing econo- 
mies, and there needs to be greater institutional flexibility to respond 
to these new users' needs and demands. There are threats that travel 
through the Internet and threats to the Internet. Cyberspace is now an 
arena for strategic competition among states, and a growing number 
of actors — state and nonstate — use the Internet for conflict, espionage, 
and crime. Societies are becoming more vulnerable to widespread dis- 
ruption as energy, transportation, communication, and other critical 
infrastructure are connected through computer networks. 

At the same time, the open, global Internet is at risk. Nations are 
reasserting sovereignty and territorializing cyberspace. The justifica- 
tions are many — national security, economic interest, cultural sensitiv- 
ity — but the outcome of blocking, filtering, and regulating is the same: a 
fragmented Internet and a decline in global free expression. Diplomacy 
has done little to close the gap between those who support the private- 
sector-led, multi- stakeholder model of Internet governance and those 
who want a stronger role for the state in cyberspace governance under 
the auspices of the United Nations and the ITU. 

The United States should be realistic about what can be accom- 
plished. Digital policy always involves real trade-offs between privacy, 
security, openness, innovation, and the protection of intellectual prop- 
erty. Multiple sources of power and influence, divergent values, and 
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clashing interests all complicate policymaking within countries and 
across borders. A grand bargain that covers all the concerns of content 
producers and technology innovators is equally unlikely as one between 
liberal democracies and authoritarian states. 

In this context, the Task Force sees its role as not only suggesting pol- 
icies that will help keep the Internet open, global, secure, and resilient, 
but also as framing the problem so policymakers, business leaders, and 
individual users better understand what is at stake and are aware of the 
trade-offs and consequences, expected and unintended, of what those 
policy decisions may be. To that end, the Task Force recommends that 
the Council on Foreign Relations and its members continue to bring the 
public and private sectors, technologists, and policymakers together to 
debate these issues, both at home and abroad. 

U.S . policymakers need to be proactive. The trends do not look good, 
but by building a cyber alliance, making the free flow of information 
a part of all future trade agreements, and articulating an inclusive and 
robust vision of Internet governance, Washington can limit the effects 
of a fragmenting Internet. The United States can no longer rely on its 
role as the progenitor of the Internet to claim the mantle of leadership. 
Rather, it can exert a positive influence on cyberspace by working to 
convince the next wave of users that an open and global Internet is in all 
of our interests. 



Additional Views 



The work of the Independent Task Force and its report, Defending an 
Open, Global, Secure, and Resilient Internet, provides a valuable start- 
ing point for a substantive public discussion about U.S. digital policy. 
The report defines many of the challenges facing U.S. policymakers 
and provides concrete recommendations for the U.S. government and 
major stakeholders. 

Most important, the report provides a framework for more fun- 
damental questions to be asked about the formulation of U.S. digital 
policy. 

Current U.S. policy supports existing institutions in the multi-stake- 
holder governance system in order to promote an open Internet. First 
and foremost, policy leaders must ask: To what degree is this strategy in 
the nation's interest? Supporters of the "bottom-up" concept of gover- 
nance argue that an open Internet promotes innovation. But how does 
this system resolve the inherent tensions between nurturing innovation, 
protecting the outcomes of innovation, and preserving legacy innova- 
tion? Similarly, does this system offer protections for innovators and 
consumers alike? Does it provide for adequate enforcement, account- 
ability, and, ultimately, the predictable, transparent, and sustained rule 
of law? 

The report also paves the way for policy leaders to define the mean- 
ing of an open Internet. What is the appropriate balance between open- 
ness and enforcement? What defines the limits of information sharing 
between governments and the private sector? How is information shar- 
ing reconciled with the privacy rights and related concerns of citizens 
and consumers? 

In the context of global commerce, the United States considers the 
World Trade Organization, which is rooted in the rule of law, to be the 
guarantor of an open and free trade system. Does the United States 
similarly seek an open and free Internet with consensus rules to protect 
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human rights, free speech, and intellectual property? If so, which insti- 
tutions will most effectively guarantee enforcement of core national 
values in the Internet environment? 

There are no easy answers to these questions, as the Task Force 
found. The U.S. government can help by setting appropriate domestic 
expectations about the opportunities and limits of the Internet. But dif- 
ficult questions are too often punted when domestic political consensus 
proves elusive. Nevertheless, consensus is necessary before the United 
States can pursue and secure appropriate global cyber policy objectives. 

U.S. policy leaders cannot afford to abdicate their role in developing 
a comprehensive national digital policy. The Task Force's report should 
serve as a springboard for challenging existing policy assumptions and 
working toward a digital policy that serves U.S. economic and national 
security interests. 

Naotaka Matsukata 



I strongly support the thrust and virtually all of the recommendations 
of this thoughtful and far-ranging report, particularly the need for the 
United States to provide leadership in building new alliances and artic- 
ulating international norms to sustain the viability of this vital capacity 
in the face of the challenges the report identifies. 

My small reservations concern statements about the organization of 
the U.S. government. The report observes, implicitly critically, that "no 
single individual or agency is in charge, short of the president." In my 
view, that is as it should be. The issues surrounding the Internet, as the 
report makes so amply clear, touch on virtually every aspect of govern- 
ment policy, domestic and international. It would be beyond the span of 
any individual to try to manage that diversity; moreover, our experience 
with policy "czars" over the years has shown that this organizational 
approach does not lead to better or more integrated policy. 

We should learn from the Internet itself — what is needed is better 
horizontal and networked coordination among all the affected agen- 
cies, with the White House playing a vital agenda-setting and conven- 
ing role. For this reason, I also believe creating a separate cyber assistant 
secretary and cyber bureau at the State Department is a move in the 
wrong direction — we need to integrate innovative cyber policy into 
all bureaus, not balkanize it as one of many competing perspectives. 



70 



Additional Views 



That is why former secretary of state Clinton created the position of 
cyber coordinator, a position I think should be strengthened as a part 
of the government- wide network for building and implementing good 
cyber policy. 

James B. Steinberg 
joined by Phoebe Yang 

This is, on balance, an excellent report. The title gets it right: rather than 
joining today's narrow drumbeat on cybersecurity, this report empha- 
sizes the Internet as a whole and the importance of maintaining its 
openness and security together. I would like to underscore two points 
arising from the report's treatment of this challenge. 

First, an Internet that is both secure and open is a difficult balance 
to maintain, since regulation can be hard to achieve. No one state can 
singlehandedly alter the Internet's protocols and growth, and those that 
have tried are not good models; they tend not to embrace the rule of 
law, and they are deeply ambivalent about the global character of the 
Internet. To be sure, there is a role that regulation can play in improv- 
ing the state of the Internet, and this report discusses efforts of the U.S. 
Congress in that area. 

Such efforts are cautionary; legislation specifically and govern- 
mental intervention more generally in the area of Internet technology 
can be tricky. Although, for example, there are areas of the Computer 
Fraud and Abuse Act (CFAA) that could be updated to strengthen 
security, the CFAA has recently been rightly criticized for criminaliz- 
ing a broad range of activities that should not qualify as criminal acts 
and may actually stifle legitimate security research. Efforts to reform 
the CFAA to clarify the actions that private-sector actors can take to 
protect networks should incorporate changes that limit criminal penal- 
ties for non-hacking activity. For example, CFAA reform could clarify 
current provisions to make clear that violations of a website's terms of 
service, while possibly a civil issue, should not be criminally prosecut- 
able. Likewise, good-faith efforts to investigate security flaws should 
not be criminal acts. 

I agree with the report's emphasis on market solutions, such as work- 
ing with advertising networks, to mitigate the problem of sites built on 
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infringing content, though elements of due process and the ability to 
appeal such decisions should not be eliminated merely because the solu- 
tions are private. 

Second, the report includes mention of mutual-aid frameworks 
among approaches to Internet resilience. While not panaceas, these 
approaches show great promise. The Internet was built — and continues 
to work — thanks to the collective work of and cooperation among many 
individuals and firms. We should encourage the development of tech- 
nologies that allow Internet users themselves, large and small, to con- 
tribute to its robustness. This can range from efforts to maintain access 
to content despite DDoS attacks to new kinds of ad hoc networks that 
can supplement traditional Internet access paths in the event of local 
overload or disruption during crises. 

The interests of governments that embrace democracy, human and 
civil rights, and the free movement of ideas have been advanced by the 
past twenty years of Internet and Web development. With awareness 
of the real challenges that confront the continued success of the Inter- 
net and appreciation for the qualities that made the Internet thrive, this 
report helps sketch how to keep the Internet thriving. 

Jonathan L. Zittrain 
joined by Elana Berkowitz 
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Anonymous: A loosely organized activist hacking group responsible 
for hacking government and other websites they consider to be sym- 
bols of authority. 

ARPANET: A computer network considered to be the predecessor to 
the Internet, developed by the Advanced Research Project Agency 
(now the Defense Advanced Research Projects Agency) in the 1960s 
and 1970s as a means of communication between research laborato- 
ries and universities. 

Botnet: A network of private computers infected with malicious soft- 
ware and controlled as a group, sometimes without the owners' 
knowledge. 

Code: A text listing of commands to be compiled or assembled into an 
executable computer program. 

Country code top-level domain (ccTLD): An Internet top-level 
domain generally used or reserved for a country, a sovereign state, or 
a dependent territory (for example, .il for Israel). 

Cyber Intelligence Sharing and Protection Act (CISPA): A pro- 
posed law in the U.S. House of Representatives that would allow for 
the sharing of Internet traffic information between the U.S. govern- 
ment and certain technology and manufacturing companies. The 
stated aim of the bill is to help the U.S. government investigate cyber 
threats and ensure the security of networks against cyberattacks. 

Distributed denial of service (DDoS) attack: An attempt to make 
a machine or network resource unavailable to its intended users by 
sending thousands of connection requests to a website every second. 

Domain Name System (DNS): A hierarchical naming system for 
computers, services, or any resource connected to the Internet or a 
private network. 

DomainName System Security Extensions (DNSSEC): A proposed 
suite of Internet Engineering Task Force specifications for securing 
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certain kinds of information provided by the Domain Name System 
(DNS) as used on Internet Protocol networks. It is a set of extensions 
to DNS that provide origin authentication of DNS data, authenti- 
cated denial of existence, and data integrity, but not availability or 
confidentiality. 

Duqu: A malicious computer virus designed to gather intelligence data 
from entities such as industrial control manufacturers in order to be 
able to launch a future attack on an industrial control facility. Inter- 
net security specialists uncovered Duqu in October 2011, declaring 
that its code was nearly identical to that of an earlier computer worm 
called Stuxnet. 

Fixed broadband: High-speed data transmission to homes and busi- 
nesses using technologies such as Ti, cable, DSL, and FiOS, exclud- 
ing cellular data. 

Flame: A malicious software discovered in 2012 that attacks computers 
running the Microsoft Windows operating system. The program is 
being used for targeted cyber espionage in Middle Eastern countries. 

Generic top -level domain (gTLD ) : The core group of generic top -level 
domains, which consists of the .com, .info, .net, and .org domains. 

Hacker: A person who uses computers to gain unauthorized access 
to data. 

Hacktivist: A portmanteau of the words hacker and activist, used to con- 
note a hacker who claims to have a political or philosophical agenda. 

Honeypot: A trap set to detect, deflect, or in some manner counteract 
attempts at unauthorized use of information systems. 

Information and communication technology (ICT): A specific kind 
of information technology that stresses the role of unified com- 
munications, including the integration of telecommunications and 
computers. 

Information Sharing and Analysis Center (ISAC): A private-public 
institution created by the U.S. federal government that provides a 
forum for private-sector actors to share sector-specific threat and 
vulnerability information. 

Information technology (IT): The use of computers and telecom- 
munications equipment to store, retrieve, transmit, and manipulate 
data, often in the context of a business or other enterprise. 

International Telecommunications Regulation (ITR): International 
rules for telecommunications, including international tariffs, set 
forth by the International Telecommunications Union. 
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International Telecommunications Union (ITU): A specialized 
agency of the United Nations responsible for issues that concern 
information and communication technologies. 

Internet Engineering Task Force (IETF): A group of engineers who 
set voluntary standards for Internet engineering and identify best 
practices. Though the IETF has no mechanism for enforcement, the 
standards are default technical Internet requirements. 

Internet Corporation for Assigned Names and Numbers (ICANN): 
A nonprofit organization that sets rules for creating and distributing 
domain names. It operates multilaterally from California. 

Internet of things: A network that links sensors in physical objects, 
such as refrigerators and pacemakers, through virtual networks 
using Internet Protocol addresses. 

Internet Protocol (IP) address: A numerical label assigned to every 
device participating in a computer network. The IP address is used to 
communicate between servers. 

LulzSec: A small offshoot of hacker activist group Anonymous, Lulz 
Security (LulSec or LulzSec) hacks into company and government 
networks for political reasons. 

Malware: Short for malicious software, or any software intended to 
damage or disable computers and computer systems. 

Mutual Legal Assistance Treaties (MLAT): Agreements between 
nations to exchange information in support of investigations of 
criminal behavior. 

Protect IP Act (PIPA): A bill introduced in the U.S. Senate to expand 
the ability of U.S. law enforcement to fight online trafficking in 
copyrighted intellectual property and counterfeit goods, which was 
defeated after popular protest. It is the Senate counterpart of the 
Stop Online Piracy Act (SOPA). 

Red October: A malicious computer virus designed to gather intel- 
ligence from Russian-speaking public sector officials in the former 
Soviet Union and other countries, discovered in 2012. 

Server: A computer or computer program that manages access to a 
centralized resource or service in a network. 

Shamoon: A computer virus discovered in 2012 that was aimed at dis- 
rupting network access in the energy sector and destroyed thirty 
thousand computers in Saudi Aramco. 

Social media: A means of interactions among people in which they 
create, share, and exchange information and ideas in virtual commu- 
nities and networks (for example, Facebook and Twitter). 
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Stop Online Piracy Act (SOPA): A bill introduced in the U.S. House 
of Representatives to expand the ability of U.S. law enforcement 
to fight online trafficking in copyrighted intellectual property and 
counterfeit goods, which was defeated after popular protest. It is the 
House of Representatives counterpart to the Protect IP Act (PIPA). 

Stuxnet: A computer worm discovered in June 2010 believed to have 
been created by the United States and Israel to attack Iran's nuclear 
facilities. 

Top-level domain (TLD): The letters immediately following the final 
dot in an Internet address (for example, .org and .com). 

United States Computer Emergency Readiness Team (U.S. -CERT): 
A clearinghouse for information on cyberattacks, threats, and vulner- 
abilities under the U.S. Department of Homeland Security. 
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